[Design of JBoss Portal] - Re: Architecture : CMS and Identity for authorization on doc
by sohil.shah@jboss.com
anonymous wrote :
| If I understand well :
| - the users and roles are synchronised from the LDAP to the DB
| - then, we use hibernate to have the cache feature on users and roles requests
|
| so we get good performance, thanks to this replication of data + hibernate caching feature.
|
| I still think that is quiet a heavy way to have some cached users and roles.
|
| May be it could be interesting to have a cache (jboss cache) on the users and roles directly.
| with clustered HA feature to.
| It could rely also from the events of LDAP synchronisation.
|
| This would be an enhancement (for performance) of the identity service, while keeping the (nice) independance of users and roles from the implementation behind (DB, LDAP... EJB3 later ?).
|
| And also avoid a heavy drawback : in High Availability, having a replication of data from LDAP to a DB is not a nice thing, if the purpose is just "caching with hibernate".
| One more DB in HA is a lot of prod work, and a weak part more.
|
| I guess this is new and will evolved when it is time.
| I can customize a users and roles module too.
| I wish I can and contribute with it.
| but I don't see any opportunity (and time) to do that before... a long time.
|
As a follow up to your post on the JIRA task, this strategy would be hidden as an implementation details of the Identity Modules (UserModule, RoleModule etc), as I stated earlier in my post on the JIRA task.
The HSQL based optimization/caching will apply only to the core DB based IdentityModule implementations that we ship out-of-the-box with the Portal. For other Identity Modules it will fall back to retrieving Identity Data via Identity interfaces and any performance related optimizations in that case will be delegated to the actual implementation and not to the CMS Security engine.
Thanks
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4073717#4073717
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4073717
18 years, 7 months
[Design of JBoss Portal] - Architecture : CMS and Identity for authorization on docs
by Antoine_h
About this Jira :
http://jira.jboss.com/jira/browse/JBPORTAL-1499?page=comments#action_1237...
anonymous wrote : When separating the CMS tables and the Users/Roles tables in two datasources, I found this :
|
| when trying to go to the CmsAdmin (CMSAdminPortlet), I got "access denied" and this exception :
|
| 2007-06-22 13:56:11,015 DEBUG [org.hibernate.jdbc.ConnectionManager] releasing JDBC connection [ (open PreparedStatements: 0, globally: 0) (open ResultSets: 0, globally: 0)]
| 2007-06-22 13:56:11,015 DEBUG [org.hibernate.util.JDBCExceptionReporter] could not execute query [SELECT * from jbp_cms_perm p,jbp_cms_perm_role r,jbp_role_membership m,jbp_roles roles,jbp_users users WHERE p.id=r.cms_perm_id AND r.role_id=roles.jbp_name AND m.jbp_rid=roles.jbp_rid AND m.jbp_uid=users.jbp_uid AND users.jbp_uname=?]
| com.mysql.jdbc.exceptions.MySQLSyntaxErrorException: Table 'jbptl_cms.jbp_role_membership' doesn't exist
| at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:936)
| at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:2870)
|
| and also :
|
| 13:56:11,015 WARN [JDBCExceptionReporter] SQL Error: 1146, SQLState: 42S02
| 13:56:11,015 ERROR [JDBCExceptionReporter] Table 'jbptl_cms.jbp_role_membership' doesn't exist
|
| Datasource for Users/Roles : jbptl_users
| Datasource for CMS : jbptl_cms
|
| I did not look precisely to the CMSAdminPortlet code, but obviously, the HQL query mix the tables of the CMS and the tables of the Users/Roles.
|
| Every thing works fine in the native version of portal, but it can't work with my production or architectures needs. I guess usual needs : separation of what is not really tied up.
|
| I guess the CMS service should check the security using the Users and Roles Modules, with some java level code,
| and not directly the Hibernate queries that manipulate the data.
|
| With this, we cannot have a specific Users/Roles Module, with other persistence than in the same database as the CMS.
|
| => is the CMSAdminPortlet working with a LDAP user repository ?
| I guess not, if the LDAP Users/Roles Module does not use the JBossPortal users tables (no replication between ldap and the usual portal u/r tables).
|
| => if we need a specific user database (legacy), with a home made Users/Roles Module that take the data from another legacy datasource, the CMSAdminPortlet and CMS Security won't work
|
| => general architecture design : the users data are in a database, the cms data are in another one : more clean for managing all that stuff (backup, restore if crash, maintenance against user data or cms data, etc...).
|
| Feature :
| - Enhance the CMSService with some Security API that provide all the basic security features to check the permission, doing it with java and Users/Roles Module, not with hibernate.
| - Or (I think is better) provide a Users/Roles Security service, that provide the usual security checking features (isInRole(), etc...). This would be above the Users/Roles Module
| I guess the portal needs the same kind of service : set a common service interface for both needs.
|
| Even if there are no time to decide and build these security interfaces for 2.6, it would be great to have the CMSAdminPortlet working with some CMS and Users/Roles separate DataSources.
|
| I will manage with only one DS for dev, but would be great to have it for the upgrade of our prod version (now in JBP2.4.1).
| Unfortunately, I have no time to do this now (huge work to have the next version of our portal ready asap... and I'd rather use right now the 2.6 than keep 2.4 for all this...).
|
Sohil Shah noticed an important thing : performance in access to the Identity stuff from the CMS.
For view or write of any document that have security constraints (authorizations), the User and it's Roles have to be provided.
I agree on that, but, I still see an architecture problem in programming HQL queries that rely on : both CMS repository, Users and Roles are in the same datasource.
Can't say that for a prod server/portal. Especially in HA.
I propose (see why in upper jira) :
- extends the Identity api so it provides the features needed by the CMS (or any service that would need fine grained security checking)
- add a JBoss Cache ability for caching the user, independantly from Hibernate. this would be usefull for the use of LDAP without synchro of users.
The question is open for ideas and resolution.
I'll make a notice of this post in this one : Initiall identity model discussion
http://jboss.org/index.html?module=bb&op=viewtopic&t=112843
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4073695#4073695
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4073695
18 years, 7 months
[Design of JBoss Web Services] - Invocation exception handling
by palin
Hi all,
on jira we currently have an issue about invocation exception handling with the metro stack http://jira.jboss.com/jira/browse/JBWS-1670.
Basically the problem is caused by the handleInvocationException method of the abstract class org.jboss.wsf.spi.invocation.InvocationHandler that unwraps the throwable raised by the service endpoint implementation:
if (th instanceof InvocationTargetException)
| {
| // Unwrap the throwable raised by the service endpoint implementation
| Throwable targetEx = ((InvocationTargetException)th).getTargetException();
| handleInvocationException(targetEx);
| }
|
This is correct for the native stack, but causes the Metro stack integration to fail whenever a custom user exception is thrown, since the unwrapping process is perfomed twice (both by metro and jbossws code above).
This drove me to think that the InvocationHandler might delegate the exception handling process to an InvocationExceptionHandler which is going to be different for each stack (for now, the native one would unwrap InvocationExceptions, the metro one would not).
The EndpointHandlerDeploymentAspect could set the right InvocationExceptionHandler (according to the jbossws-xxx-config.xml) into every InvocationHandler (regardless of its type, the container we are running on, etc).
Any opinion about this?
Bye
Alessio Soldano
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4073647#4073647
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4073647
18 years, 7 months