[Hypercontent-users] Re: Security for Hypercontent 2.0

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Peners,
	HyperContent 2 is set up to accommodate any user who =
successfully=20
authenticates into the system.   HC2 uses JAAS LoginModules to perform=20=

authentication; the built-in module validates against an MD-5 hash of=20
the user's password in a user file.  A CAS/JAAS module is planned for=20
development soon.   What method of authentication are you using?
	Read, write, create, delete, build, publish & approve =
permissions can=20
all be controlled on a per-project basis in the file=20
"/config/permissions.xml".  The model is very similar to uPortal's=20
Groups and Permissions.  Each permissions has 4 components:

Principal
	- the user or group name that the permission applies to
	  (by convention, group names in HC2 are prefixed with "group:" =
to=20
avoid name collisions with users)

Activity
	- read, write, create, delete, build, publish or approve
	  (custom activities can be used in controlling workflows)

Target
	- The pattern of files or directories to which the permission =
applies,=20
e.g.
		/**/*.*  =3D all files
		/**/  =3D all directories
		/students/*.xml  =3D all XML files in the students =
directory
		/students/**/*.*  =3D all files in the students =
directory or=20
recursively any of its subdirectories
		/index.xml  =3D the home page
Denied
	- if true, indicates that this is a negating permission

When multiple permissions match a given file or directory for a given=20
user, the permission with the most specific pattern is applied, e.g.=20
given

	Denied=3D"false" target=3D"/students/**/*.*"
	Denied=3D"true" target=3D"/students/**/sensitive/*.*"

Access to any file in a directory named "sensitive" below the students=20=

directory will be blocked.

Groups are specified per-project in "/config/groups.xml".  Each group=20
is assigned a name, and can have any number of group or user=20
sub-elements.  There are two special group names: "group:anybody"=20
applies to any user session, even if unauthenticated, allowing=20
world-read privileges to be established.   "group:admin" is used to=20
configure superusers, who are automatically granted all permissions. =20
User IDs configured in group:admin in the bootstrap project are=20
superusers across all projects, whereas users listed in group:admin in=20=

a project's groups file are superusers for that project only.

-Alex

On Jul 6, 2005, at 2:05 PM, Peners Griffin wrote:

> Hi Alex,
> =A0
> I=92m working with Ping and Lilying on implementing Hypercontent 2.0. =
Is=20
> there anyway I can break security down to where only certain=20
> departments and certain links can be viewed by certain people? I know=20=

> of the admin, author, approver, and publisher but how can I break that=20=

> down where when a person logs in there only able to view certain=20
> things? Also, will I be able to set up security where people can use=20=

> there name as logins?
> =A0
> =A0
> Thanks,
> =A0
> P.L. =A0