[jboss-dev-forums] [Design of JBoss Portal] - Architecture : CMS and Identity for authorization on docs

Antoine_h do-not-reply at jboss.com
Mon Aug 13 15:19:45 EDT 2007 

About this Jira : 
http://jira.jboss.com/jira/browse/JBPORTAL-1499?page=comments#action_12371888

anonymous wrote : When separating the CMS tables and the Users/Roles tables in two datasources, I found this :
  | 
  | when trying to go to the CmsAdmin (CMSAdminPortlet), I got "access denied" and this exception :
  | 
  | 2007-06-22 13:56:11,015 DEBUG [org.hibernate.jdbc.ConnectionManager] releasing JDBC connection [ (open PreparedStatements: 0, globally: 0) (open ResultSets: 0, globally: 0)]
  | 2007-06-22 13:56:11,015 DEBUG [org.hibernate.util.JDBCExceptionReporter] could not execute query [SELECT * from jbp_cms_perm p,jbp_cms_perm_role r,jbp_role_membership m,jbp_roles roles,jbp_users users WHERE p.id=r.cms_perm_id AND r.role_id=roles.jbp_name AND m.jbp_rid=roles.jbp_rid AND m.jbp_uid=users.jbp_uid AND users.jbp_uname=?]
  | com.mysql.jdbc.exceptions.MySQLSyntaxErrorException: Table 'jbptl_cms.jbp_role_membership' doesn't exist
  | at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:936)
  | at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:2870)
  | 
  | and also :
  | 
  | 13:56:11,015 WARN [JDBCExceptionReporter] SQL Error: 1146, SQLState: 42S02
  | 13:56:11,015 ERROR [JDBCExceptionReporter] Table 'jbptl_cms.jbp_role_membership' doesn't exist
  | 
  | Datasource for Users/Roles : jbptl_users
  | Datasource for CMS : jbptl_cms
  | 
  | I did not look precisely to the CMSAdminPortlet code, but obviously, the HQL query mix the tables of the CMS and the tables of the Users/Roles.
  | 
  | Every thing works fine in the native version of portal, but it can't work with my production or architectures needs. I guess usual needs : separation of what is not really tied up.
  | 
  | I guess the CMS service should check the security using the Users and Roles Modules, with some java level code,
  | and not directly the Hibernate queries that manipulate the data.
  | 
  | With this, we cannot have a specific Users/Roles Module, with other persistence than in the same database as the CMS.
  | 
  | => is the CMSAdminPortlet working with a LDAP user repository ?
  | I guess not, if the LDAP Users/Roles Module does not use the JBossPortal users tables (no replication between ldap and the usual portal u/r tables).
  | 
  | => if we need a specific user database (legacy), with a home made Users/Roles Module that take the data from another legacy datasource, the CMSAdminPortlet and CMS Security won't work
  | 
  | => general architecture design : the users data are in a database, the cms data are in another one : more clean for managing all that stuff (backup, restore if crash, maintenance against user data or cms data, etc...).
  | 
  | Feature :
  |  - Enhance the CMSService with some Security API that provide all the basic security features to check the permission, doing it with java and Users/Roles Module, not with hibernate.
  |  - Or (I think is better) provide a Users/Roles Security service, that provide the usual security checking features (isInRole(), etc...). This would be above the Users/Roles Module
  | I guess the portal needs the same kind of service : set a common service interface for both needs.
  | 
  | Even if there are no time to decide and build these security interfaces for 2.6, it would be great to have the CMSAdminPortlet working with some CMS and Users/Roles separate DataSources.
  | 
  | I will manage with only one DS for dev, but would be great to have it for the upgrade of our prod version (now in JBP2.4.1).
  | Unfortunately, I have no time to do this now (huge work to have the next version of our portal ready asap... and I'd rather use right now the 2.6 than keep 2.4 for all this...).
  | 

Sohil Shah noticed an important thing : performance in access to the Identity stuff from the CMS.
For view or write of any document that have security constraints (authorizations), the User and it's Roles have to be provided.

I agree on that, but, I still see an architecture problem in programming HQL queries that rely on : both CMS repository, Users and Roles are in the same datasource.
Can't say that for a prod server/portal. Especially in HA.

I propose (see why in upper jira) : 

 - extends the Identity api so it provides the features needed by the CMS (or any service that would need fine grained security checking)

 - add a JBoss Cache ability for caching the user, independantly from Hibernate. this would be usefull for the use of LDAP without synchro of users. 

The question is open for ideas and resolution.

I'll make a notice of this post in this one : Initiall identity model discussion
http://jboss.org/index.html?module=bb&op=viewtopic&t=112843


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4073695#4073695

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4073695

More information about the jboss-dev-forums mailing list