wiki:GROUP_BASE_SECURITY_R0
Last modified 16 years ago Last modified on 06/16/09 20:30:10

Error: Macro BackLinksMenu(None) failed
compressed data is corrupt

Error: Macro TicketQuery(summary=GROUP_BASE_SECURITY_R0, format=table, col=summary|owner|status|type|component|priority|effort|importance, rows=description|analysis_owners|analysis_reviewers|analysis_score|design_owners|design_reviewers|design_score|implementation_owners|implementation_reviewers|implementation_score|test_owners|test_reviewers|test_score|) failed
current transaction is aborted, commands ignored until end of transaction block

Analysis

Overview

This group of tasks covers the basic security model of Sophie, in particular users and groups. At this revision of the task, users and groups will be implemented as resources and the server application should use the new model.

Task requirements

  • Define and implement a basic security model for users and groups as resources:
    • A user should keep:
      • username (required)
      • password (required)
      • email (required)
      • full name
      • birthdate
      • description (about me)
    • A group should have:
      • name (required)
      • description
    • A user can belong to multiple groups (or to no group at all).
  • Change the server application to use the newly defined model.
  • Ensure that registration and login work through the web user interface.
  • At this revision, persistence is not required. You can keep information about the users and groups in memory.
  • Document what has been achieved in BASE_SECURITY_MODEL.

Task result

  • Source code
  • Wiki page

Implementation idea

  • Create a new module - base.model.security to hold the security model (this will include permissions at a later stage).
  • Take a look at the current server implementation of users and groups.
  • Groups can have a list of the users in the group. Users do not necessarily need to have a property that holds their group.

S2S_CORE_SECURITY_R0

How to demo

  • Run the server application and create a user.
  • Login with that user and display the user info.

Design

The security model of Sophie2 should be separated in its own module - org.sophie2.base.model.security. It will contain classes for users, groups, permissions, etc. and will be used by the server module. Two new classes will be created in this module - User and UserGroup. These classes will contain properties for each of the attributes, listed in the Task requirements section.

In adittion, the User class will have a groups() property that will hold a list of ResourceRefs, pointing to the groups the user belongs to. Similarily, the group will have a users() property to hold a list of ResourceRefs to the users of the group. This will make the methods getUsers() and getGroups() in the GroupService and UserService classes redundant. Additionaly, each group will have an owner() and private() properties that show who created the group and whether it is private. If it is, only the owner can add/remove users of this group. Otherwise, the group is public and every user can join it.

There are currently classes for User and Group in the org.sophie2.server.persistence.entity package. These should be deleted and replaced with the new model. This means the existing code will be refactored where needed.

The web user interface provides some JSPs in the org.sophie2.server module. They should be changed to reflect the new properties for users and groups.

Here's a sketch of the structure of the BASE_SECURITY_MODEL page: 

|_Sophie2's security model - an overview of the contents of the document
|__Users - description of a user, what attributes it holds, etc.
|__Groups - the same for groups
|__Permissions - describes how permissions are applied (will not be filled as part of this task).
|_Comments

Existing unit tests can be found at: trunk/sophie2-platform/modules/org.sophie2.server/src/test/java/org/sophie2/server/service. They should pass with the new model and improved if needed.

Implementation

New classes have been created and the old ones delted. This has lead to refactoring of a lot of properties. AbstractEntity has been changed to temporarily extend Resource in order to ease the refactoring. This class should be completely dropped at the next iteration. The *Dao classes are currently not used but kept for future reference. Instead, users and groups are persisted by FakeUserDao and FakeGroupDao - classes that dump resources to memory (in a hash map). This is achieved through the helper class MockPersister (that is used instead of EmbeddedDatabaseManager). These fake implementation serve for demonstration purposes before the persistence is refactored to serve the new model (part of another task). The old classes are kept for reference. There are broken tests as well, which are kept for the same reason.

The private() property of the group has been decided redundant (see the comment in the ticket) and is not part of the model. The JSPs have been refactored as well and the new model can be demonstrated through them. The tests linked in the design section have been refactored to pass. The basic version of the document described is written as well.

Changesets: [3120] [3184] [3200]

Reimplemented, taking in mind meddle's notes. All done in a single revision in a new branch: [3390]

Merged into the trunk in [3531] and [3532].

Testing

Place the testing results here.

Comments

Write comments for this or later revisions here.