Task #178 (closed)
Wrap CurrentDetails and EventContext with SecuritySystem
Reported by: | jamoore | Owned by: | jamoore |
---|---|---|---|
Priority: | major | Milestone: | 3.0-M3 |
Component: | Security | Version: | 3.0-M3 |
Keywords: | story114, iteration1 | Cc: | cxallan |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | n.a. |
Sprint: | n.a. |
Description
The ThreadLocal CurrentDetails should be made package private and wrapped by a SecurityManager (name TBD) that will be the central logical unit for all security tests. The single, Spring-configured instance will be injected into other server objects which need to perform security logic. SecurityManager will coordinated with the ome.model.internal.Permissions class and Hibernate filters for providing read and possibly write security. Write security may be handled by the Hibernate validation system.
Change History (7)
comment:1 Changed 18 years ago by jmoore
- Keywords story114 added
comment:2 Changed 18 years ago by jmoore
- Keywords iteration1 added
comment:3 Changed 18 years ago by jmoore
Plan :
- lower visibility on CurrentDetails
- gather all calls to user.getId().equals( 0L )
- inject SecurityManager where needed (ome/services/security.xml)
- inject EventContext only into SecurityManager (ome/services/security.xml)
will wait on #180 for working out the separation of responsibilites between SecurityManager and Permissions.
comment:4 Changed 18 years ago by jmoore
- Cc callan added
- Summary changed from Wrap CurrentDetails and EventContext with SecurityManager to Wrap CurrentDetails and EventContext with SecuritySystem
Name switch. SecurityManager is in java.lang and that's a hassle. Floor is open for suggestions. Temporarily switching to SecuritySystem to keep moving.
comment:5 Changed 18 years ago by jmoore
- Resolution set to fixed
- Status changed from new to closed
r768 implements a BasicSecuritySystem which does not use ITypes (#86) for defining SystemTypes (#156) but defines them programmatically:
if ( object instanceof Experimenter ) ...
We will definitely want to revist BasicSecuritySystem to make it more configurable and which objects have the SecuritySystem injected. This can take place in other tickets. Simiarly for collecting all miscellaneous calls to user.getId().equals( 0L ) or new Experimenter( 0L, false ).
comment:6 Changed 18 years ago by jmoore
r826 adds lots of mock testing for the BasicSecuritySystem so this is even more closed.
comment:7 Changed 18 years ago by jmoore
r827 extends SecuritySystem/CurrentDetails and others with the wished group leader ("PI") logic. No ticket available.
Most likely needed for #156 (System-Types). A central component will need to "know" what the System-Types are. We shouldn't be spreading ISystem.class.isAssignableFrom( thing.getClass() ) calls all around the place.