[jboss-dev-forums] [Design of JBoss Portal] - Re: LDAP Support expectations

[bdaw]

Hi. I cannot respond to your every comment but I'll try to do quick reply.

At first.... Thanks a lot for your post. The 2.6 roadmap is closed indeed but we'll start to define 3.0 features soon so your comments bring a lot of value!

anonymous wrote : What i don`t understand right now is, why do you want to decouple Users and Roles in a MembershipModule, what is the advantage of this? 

The target for 2.6 was to keep current design and add LDAP support, and thats why there is no revolution here. The reason for MembershipModule is because in LDAP you can define User-Role relationship in several ways. It can be held by either user or role entry or resolved dynamically. So it's more convenient to have separate module which you can swap with different implementation of such relationship. 

Persistence config:

It's more like this currently (and still morphing a little): http://anonsvn.jboss.org/repos/portal/trunk/identity/src/resources/test/config/

standardidentity-config.xml - the file that defines different possible module configurations
identity-config.xml - which selects proper modules and override only whats needed - like connection options

There are some design reasons for keeping profile configuration in separate file. We want to be able to generate hibernate mappings from it dynamically for ex.

- <access-mode>read-write</access-mode> - there are several reasons to keep it on per property level. Even if you don't mix LDAP with DB for storage you may want to prevent write access to specific properties. We can always add global switch also
- <display-name xml:lang="EN"> or <description xml:lang="EN"> is only for imformation purposes - like for tools support.

There will be UserProfileModule.getProfileInfo() where you can get info object describing such mapping - so you'll have API to discover  which properties and how are mapped 

anonymous wrote : As i understand your implemetation, Roles and User Objects maintained in LDAP, and also the relationship. Roles are used in JBoss Portal to control access rights to portal objects. Please correct me, if i`m worng, but this would mean application dependend data has to be stored in LDAP, that is not usable in larger companies, as you already mentioned, Portal is just another client application, and we have several of it.
  | 
  | Maintaining Users/Groups in LDAP and map to Roles in Portal would also increas the flexibility of LDAP configuration. 

We fully agree. This is something we should address in 3.0.

What we could probably do for now is to add  one-to-one mapping of group to role in RoleModule. So similarly to portlet.xml

  | <security-role-ref>
  |    <role-name>Business Admin</role-name>
  |    <role-link>Admin</role-link>
  | </security-role-ref>

and it could be resolved as some kind of alias.  But I'm not sure if this satisfy you.

I'm trying to make the implementation extendable so you could implement your grouping for 2.6 as additional modules and plug it in (like we discussed wit bvogt). But 2.6 identity codebase is still in a state of flux a little.

For your suggestion about working with principal object it's something we definitely should discuss for 3.0. 




View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3989123#3989123

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3989123