[Geoserver-devel] [jira] Created: (GEOS-4487) Move spring security configuration out of main and into web-app

_Failed_to_Retrieve · April 13, 2011, 4:18pm

Move spring security configuration out of main and into web-app
---------------------------------------------------------------

                 Key: GEOS-4487
                 URL: http://jira.codehaus.org/browse/GEOS-4487
             Project: GeoServer
          Issue Type: Task
          Components: Security
            Reporter: Gabriel Roldán
            Assignee: Gabriel Roldán
             Fix For: 2.1.x, 2.2.x

spring security is configured in applicationSecurityContext.xml but is embedded into the main module's jar, implying the following problems:
- security config is a cross-cutting concern, and right now the main module imposes assumptions on things it doesn't know about or shouldn't enforce
- it is very difficult to set up an alternate web application that overrides the security subsystem default weaving of spring beans, specially because some of them are engaged at run time by app context inspection, so even if providing a different set of security objects, some from main engage at runtime.

The solution would be that the app security context is defined in the web-app module, allowing alternate web applications to depend on geoserver modules without the impositions of the security context in main.

To do so, it is needed that:
- the app security context is moved to web-app
- there's still a security context used for unit tests that require it, but it shall not interfere with the normal application (proposal is putting the config file in main's test resources under a different name, for the sake of simplicity, instead of having to provide an alternate file for each unit test that requires security)
- the servlet filter classes in web-app should be moved to web-core, for other web applications to use them.

The following git branch provides such a patch and does not break any test: [https://github.com/groldan/geoserver_trunk/compare/master...security_breakdown\]

The proposal is to apply this to trunk, and if everything works ok port to 2.1.x after 2.1.0 is released, because the GeoNode project needs to lay out it's own web app based on GeoServer 2.1.x components and to set up its own security context.

As a side note, what's being proposed here is the same that the GeoWebCache project does. It defines the security context in its web application module, allowing GeoServer to depend on GeoWebcache without carrying over GWC's settings for security, which as a matter of fact still use the acegi framework instead of the spring-security replacement as GeoServer does.
In this case, GeoNode needs to depend on GeoServer the same way GeoServer does on GWC, so this seems like the correct approach.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira