On Thu, Mar 14, 2013 at 9:20 PM, Denis Gervalle <dgl(a)softec.lu> wrote:
Hi devs,
We have a new (component based) authorization module since a while now,
and I think 5.0 is the perfect time to introduce it as the default right
service. First, I simply propose to change the default in xwiki.cfg:
xwiki.authentication.rightsclass=org.xwiki.security.authorization.internal.XWikiCachingRightService
(Later, I propose that we deprecate that bridge and that we create a
friendly (xwiki oriented) interface over the more generic
org.xwiki.security.authorization.AuthorizationManager. But leave this for a
later proposal.)
So this vote is about changing the default in xwiki.cfg before 5.0M2.
pros:
- improved performance, since the new service is using caching techniques
and a single page load required lots of calls to it.
- ability for extension to add new rights
- define right declaratively
- separate method for checking and verifying right (throws opposed to
boolean return)
- fix some long waiting bugs like XWIKI-5174, XWIKI-6987, as well as
some unstated ones
Also XWIKI-4550
- possibility to easily solve issues like XWIKI-4491
- no more admin right per default
- being in good position to improve it and release dependencies to
oldcore for security matters.
- possibility for third party to adapt the right settler to their special
needs (right decision is plugable)
- a consistant right evaluation with very few exception that could be
explained and documented
cons:
- no more admin right per default, but since we have DW, the initial
setup is no more a problem, and advanced users may use superadmin.
- groups are only checked from the user wiki, not from the accessed
entity wiki.
- may exhibit some other minor differences compare to existing
implementation (but mostly consistency fixes)
- test could be improved, critical part (right, settler, data structure,
cache) are covered at almost 100%, api at 60%, this is probably better
than the old right service
- documentation should be improved, but this is not worse than the old
one anyway
Since I use the new module in all my production servers for several months
with success, and I really think that if we do not do it now we will never
go ahead, here is my big +1
WDYT ?
--
Denis Gervalle
SOFTEC sa - CEO
eGuilde sarl - CTO
--
Denis Gervalle
SOFTEC sa - CEO
eGuilde sarl - CTO