[smartweb-devel] Requirements for auth module
Brought to you by:
rlogiacco
Menu
▾
▴
[smartweb-devel] Requirements for auth module
|
From: rlogiacco <rlo...@us...> - 2007-04-03 13:32:40
|
It may sound rough, but actually the most important module of the framework is no more working! We should solve this big problem urgently and give it back to the community for upgrades, improvements but mostly for usage!!! Actually the problem was introduced because a major update started a few months ago, but I have to admit I committed a big mistake not branching before starting to work to the next generation module. Personally I think now is too late to fall back 'cause we are pretty near to the end. For the future and for every module coordinator I strongly suggest to branch before starting a new implementation: you can work without feeling your users' breath over your neck... ;) Anyway, returning to the topic, I'm here to define the requisites of the module to share and clarify them once and for all. 1. users and groups should be threated in a similar manner being interchangeable; 2. the administrator must be able to tell the module "allow user/group X to operate in the role Y only if the function operates on object of type Z and id N [ and current time is between 8am and 6pm ]" with the last part optional and customizable; 3. permissions and rules should be customizable through a configuration file without intervention into the code, allowing a method level granularity similarly to the EJB security constraints; 4. users are stored by default on database, but other sources for datas (LDAP for example) should be configurable; 5. no constraints between the auth module datas and other modules to allow deployment on separate databases; 6. no class constraints and no requirements on the classes using the module: as stated before the security constraint should be activatable at configuration time (AOP should be the solution); 7. customizability both of authentication process and authorization process like "no logins for users in role X between 8pm and 8am" or "disallow requests to function F if more than 5 users already logged" through custom classes and configuration; 8. ability to load balance the module with the web application; 9. ability to check credentials both on presentation tier "show this field only if user is authorized" and on business tier "allow this operation only if user is authorized" 10. support for distributed presentation and business tiers (on two or more servers) and implicit transmission of credentials (needs integration with JAAS) Have I forgot something? Roberto -- View this message in context: http://www.nabble.com/Requirements-for-auth-module-tf3513039s17546.html#a9810970 Sent from the SmartWeb Developers mailing list archive at Nabble.com. |
