Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.
Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #178 (closed)

Opened 18 years ago

Closed 18 years ago

Last modified 18 years ago

Wrap CurrentDetails and EventContext with SecuritySystem

Reported by: jamoore Owned by: jamoore
Priority: major Milestone: 3.0-M3
Component: Security Version: 3.0-M3
Keywords: story114, iteration1 Cc: cxallan
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: n.a.
Sprint: n.a.

Description

The ThreadLocal CurrentDetails should be made package private and wrapped by a SecurityManager (name TBD) that will be the central logical unit for all security tests. The single, Spring-configured instance will be injected into other server objects which need to perform security logic. SecurityManager will coordinated with the ome.model.internal.Permissions class and Hibernate filters for providing read and possibly write security. Write security may be handled by the Hibernate validation system.

Change History (7)

comment:1 Changed 18 years ago by jmoore

  • Keywords story114 added

comment:2 Changed 18 years ago by jmoore

  • Keywords iteration1 added

Most likely needed for #156 (System-Types). A central component will need to "know" what the System-Types are. We shouldn't be spreading ISystem.class.isAssignableFrom( thing.getClass() ) calls all around the place.

comment:3 Changed 18 years ago by jmoore

Plan :

  • lower visibility on CurrentDetails
  • gather all calls to user.getId().equals( 0L )
  • inject SecurityManager where needed (ome/services/security.xml)
  • inject EventContext only into SecurityManager (ome/services/security.xml)

will wait on #180 for working out the separation of responsibilites between SecurityManager and Permissions.

comment:4 Changed 18 years ago by jmoore

  • Cc callan added
  • Summary changed from Wrap CurrentDetails and EventContext with SecurityManager to Wrap CurrentDetails and EventContext with SecuritySystem

Name switch. SecurityManager is in java.lang and that's a hassle. Floor is open for suggestions. Temporarily switching to SecuritySystem to keep moving.

comment:5 Changed 18 years ago by jmoore

  • Resolution set to fixed
  • Status changed from new to closed

r768 implements a BasicSecuritySystem which does not use ITypes (#86) for defining SystemTypes (#156) but defines them programmatically:

 if ( object instanceof Experimenter ) ...

We will definitely want to revist BasicSecuritySystem to make it more configurable and which objects have the SecuritySystem injected. This can take place in other tickets. Simiarly for collecting all miscellaneous calls to user.getId().equals( 0L ) or new Experimenter( 0L, false ).


comment:6 Changed 18 years ago by jmoore

r826 adds lots of mock testing for the BasicSecuritySystem so this is even more closed.

comment:7 Changed 18 years ago by jmoore

r827 extends SecuritySystem/CurrentDetails and others with the wished group leader ("PI") logic. No ticket available.

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.70721 sec.)

© 2000-2014 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 3.0 Unported License
OME source code is available under the GNU General public license or through commercial license from Glencoe Software

We're Hiring!