[jira] Created: (OFBIZ-2380) Security Re-Implementation

Security Re-Implementation
--------------------------

                 Key: OFBIZ-2380
                 URL: https://issues.apache.org/jira/browse/OFBIZ-2380
             Project: OFBiz
          Issue Type: Improvement
          Components: ALL COMPONENTS
    Affects Versions: SVN trunk
            Reporter: Andrew Zeneski
            Assignee: Andrew Zeneski
             Fix For: SVN trunk


Parent Task for Security Re-Implementation -- Details defined here: http://docs.ofbiz.org/x/-B0

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrew Zeneski updated OFBIZ-2380:
----------------------------------

    Component/s:     (was: ALL COMPONENTS)
                 framework

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704129#action_12704129 ]

Adrian Crum commented on OFBIZ-2380:
------------------------------------

Andrew,

Why doesn't the new security API accommodate an admin permission? If the goal is to make the new API more like other software, shouldn't it include a supervisor/super user/admin permission?


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704178#action_12704178 ]

Andrew Zeneski commented on OFBIZ-2380:
---------------------------------------

Adrian,

I'm not sure I understand what you mean. There are "base" permissions :
access, create, read, update, delete

Which are all part of the seed data and associated with the FULLADMIN security group. These are indeed "admin" permissions since there is no granularity attached.

Check out the comments on the page : http://docs.ofbiz.org/x/JR4 there a brief description on how these permissions are handled. If I'm missing something, or not answering your question please let me know.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704342#action_12704342 ]

Andrew Zeneski commented on OFBIZ-2380:
---------------------------------------

Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases  - Effects only when running tests

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704342#action_12704342 ]

Andrew Zeneski edited comment on OFBIZ-2380 at 4/29/09 2:16 PM:
----------------------------------------------------------------

Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases  - Effects only when running tests
Revision 769936 - Service Engine Integration - dispatchContext.getAuthz() - used in check-permission tags
Revision 769937 -  Controller Integration - use request.getAttribute("authz")

      was (Author: jaz):
    Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases  - Effects only when running tests
 
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704342#action_12704342 ]

Andrew Zeneski edited comment on OFBIZ-2380 at 4/29/09 2:17 PM:
----------------------------------------------------------------

*Commit History*

Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases  - Effects only when running tests
Revision 769936 - Service Engine Integration - dispatchContext.getAuthz() - used in check-permission tags
Revision 769937 -  Controller Integration - use request.getAttribute("authz") - ACTIVE IN CoreEvents.java

      was (Author: jaz):
    *Commit History*

Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases  - Effects only when running tests
Revision 769936 - Service Engine Integration - dispatchContext.getAuthz() - used in check-permission tags
Revision 769937 -  Controller Integration - use request.getAttribute("authz")
 
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704342#action_12704342 ]

Andrew Zeneski edited comment on OFBIZ-2380 at 4/29/09 2:16 PM:
----------------------------------------------------------------

*Commit History*

Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases  - Effects only when running tests
Revision 769936 - Service Engine Integration - dispatchContext.getAuthz() - used in check-permission tags
Revision 769937 -  Controller Integration - use request.getAttribute("authz")

      was (Author: jaz):
    Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases  - Effects only when running tests
Revision 769936 - Service Engine Integration - dispatchContext.getAuthz() - used in check-permission tags
Revision 769937 -  Controller Integration - use request.getAttribute("authz")
 
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704342#action_12704342 ]

Andrew Zeneski edited comment on OFBIZ-2380 at 4/29/09 2:29 PM:
----------------------------------------------------------------

*Commit History*

Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases  - Effects only when running tests
Revision 769936 - Service Engine Integration - dispatchContext.getAuthz() - used in check-permission tags
Revision 769937 -  Controller Integration - use request.getAttribute("authz") - ACTIVE IN CoreEvents.java
Revision 769943 - Widget Integration - enabled when NOT using an action="" element
Revision 769944 - Themes Integration - uses both APIs for checking permission

      was (Author: jaz):
    *Commit History*

Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases  - Effects only when running tests
Revision 769936 - Service Engine Integration - dispatchContext.getAuthz() - used in check-permission tags
Revision 769937 -  Controller Integration - use request.getAttribute("authz") - ACTIVE IN CoreEvents.java
 
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704356#action_12704356 ]

Adrian Crum commented on OFBIZ-2380:
------------------------------------

Andrew,

Following your logic then, FULLADMIN would have to include ALL possible permissions. Maybe it would help if your new framework could accept widlcards:

access:*
create:*
read:*
update:*
delete:*


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704358#action_12704358 ]

Adrian Crum commented on OFBIZ-2380:
------------------------------------

Also, it would be helpful if the new API would return all permissions for a given context. I had suggested this on the dev mailing list some time ago, and there seemed to be some interest.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704342#action_12704342 ]

Andrew Zeneski edited comment on OFBIZ-2380 at 4/29/09 3:11 PM:
----------------------------------------------------------------

*Commit History*

Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases  - Effects only when running tests
Revision 769936 - Service Engine Integration - dispatchContext.getAuthz() - used in check-permission tags
Revision 769937 -  Controller Integration - use request.getAttribute("authz") - ACTIVE IN CoreEvents.java
Revision 769943 - Widget Integration - enabled when NOT using an action="" element
Revision 769944 - Themes Integration - uses both APIs for checking permission
Revision 769963 - Fix for infinite looping when using hasPermission from service based DA implementations
Revision 769965 - MiniLang (Simple Method) integration - enabled when NOT using an action="" element

      was (Author: jaz):
    *Commit History*

Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases  - Effects only when running tests
Revision 769936 - Service Engine Integration - dispatchContext.getAuthz() - used in check-permission tags
Revision 769937 -  Controller Integration - use request.getAttribute("authz") - ACTIVE IN CoreEvents.java
Revision 769943 - Widget Integration - enabled when NOT using an action="" element
Revision 769944 - Themes Integration - uses both APIs for checking permission
 
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrew Zeneski updated OFBIZ-2380:
----------------------------------

    Comment: was deleted

(was: *Commit History*

Revision 769928 - Base API - not enabled will not effect anything
Revision 769929 - Ext. API + Test Cases  - Effects only when running tests
Revision 769936 - Service Engine Integration - dispatchContext.getAuthz() - used in check-permission tags
Revision 769937 -  Controller Integration - use request.getAttribute("authz") - ACTIVE IN CoreEvents.java
Revision 769943 - Widget Integration - enabled when NOT using an action="" element
Revision 769944 - Themes Integration - uses both APIs for checking permission
Revision 769963 - Fix for infinite looping when using hasPermission from service based DA implementations
Revision 769965 - MiniLang (Simple Method) integration - enabled when NOT using an action="" element)

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704380#action_12704380 ]

Andrew Zeneski commented on OFBIZ-2380:
---------------------------------------

To answer your first question, if a user has 'update' that is effectively the same as 'update:*', the * is just not needed. If the user has 'update:party' then that would mean 'update:party:*'. We define the most granular permission required when defining the permission for a piece of functionality. So, to update person information the permission would be defined as 'update:party:detail:${partyId}'. The partyId would be expanded at runtime.

The user will need either:
update
update:party
update:party:detail

Or if none of these permissions are associated with the user, then the DA logic kicks in to see if they are allowed to access the single party record.
So,

1. 'update' means update anything in the entire system,
2. 'update:party' means update anything in the party app.
3. 'update:party:detail' means update any party's detail information (name, groupName, etc)

As for you second comment, I'd like to hear more about this. I'm not sure how that would look and what the definition of 'context' is in this case. But I'm happy to add something which are helpful! :) We can take this over to the dev list if you like.



--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704387#action_12704387 ]

Adrian Crum commented on OFBIZ-2380:
------------------------------------

Andrew,

Thank you for the explanation. It's starting to make more sense now.

Getting all permissions would look something like:

*:party

where party is the context and a list of party permissions are returned. This is sorely needed, because right now if you need to query multiple permissions, you have to make multiple permission service calls. Let's say a block of code needs to check view, create, and update permissions (to control the display of screen elements for example). Right now three permission checks would have to be made. It would be nice to get a list of permissions, then check the list for view, create, and update.

The Jira comments are sent to the dev list, so this discussion is already there.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12704489#action_12704489 ]

Adrian Crum commented on OFBIZ-2380:
------------------------------------

Thinking about this more...

(sorry - it would have been helpful to discuss this on the dev ml before you got started)

it would be awesome if the new permissions could be expressions. Example:

(update:context1 | update:context2) & update:context3

which would express "if (update:context1 OR update:context2) AND update:context3."

I know there have been times when this would have been helpful in the permissions service interface. It would eliminate a lot of little mini-language permissions scripts. The single permission check for service calls is very limiting.

After working with UEL, I can see where implementing functions would be helpful too:

update:context1 & someFunction(...)



--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.