All right. Thanks for the advice.
For now I'm trying to estimate what is needed for just the upgrades I mentioned earlier.
The client is initially interested in having the ability to specify rules on layers with services combined.
I don't think if changing the whole system first is an option here in terms of funding.
On the other side of course, it would be stupid to make changes that will be redone completely later anyway.
And of course changes like this must be supported by the community beforehand.
With all these things in mind, what do you think is the best approach here.
How does everyone think of the idea of extending the current security system with this feature ? Would such a proposal pass? Are there any other concerns I should be aware of?
Cheers
Niels
On 12/06/13 17:56, Christian Mueller wrote:
Two topics here
About access control. I worked with SUNs XACML implementation and it has a very good Java API. It is not necessary to bother about the XML stuff, the library does it behind the scenes. The only thing I wanted to point out is that if we add access control features we should discuss the current access control system. (I am not insisting on XACML, but it is powerful).
About security system confusion. What about packaging the LDAP and JDBC stuff as an extension ?. And yes, the documentation is not finished and some docs are not up to date. I am working on this in my spare time if possible.
Cheers
Christilan
2013/6/12 Andrea Aime <andrea.aime@anonymised.com <mailto:andrea.aime@anonymised.com>>
On Wed, Jun 12, 2013 at 4:37 PM, Justin Deoliveira
<jdeolive@anonymised.com <mailto:jdeolive@anonymised.com>> wrote:
I agree with Andrea that i would be weary of complexity here,
even if we do try to hide it from users. We took this approach
with the authentication changes and imo it is not all that
user friendly compared to other systems that offer similar
authentication options.
Unless you spend a lot of time designing the user interface up
front undoubtedly development complexity will creep through.
Case in point: currently the user needs to know what user
group and role services are. For power users this may not be
an issue, they probably like the flexibility, but for the
average user it's confusing.
Agreed, make a workshop recently and people were confused by the
many options available (why are there multiple services, why are
role services separate, why is LDAP showing up in multiple places
and so on): for a power user it makes sense, but for the common
one it's a maze to get lost in.
Cheers
Andrea
-- ==
Our support, Your Success! Visit http://opensdi.geo-solutions.it
for more information.
==
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313 <tel:%2B39%200584%20962313>
fax: +39 0584 1660272 <tel:%2B39%200584%201660272>
mob: +39 339 8844549 <tel:%2B39%20%C2%A0339%208844549>
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel