<
From version < 43.1 >
edited by Jerome
on 2012/04/05
To version < 44.1 >
edited by Denis Gervalle
on 2012/04/06
>
Change comment: Provide information about the new security authorization module

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.jvelociter
1 +XWiki.dgervalle
Content
... ... @@ -135,10 +135,22 @@
135 135  
136 136  == New Rights Implementation (Experimental) ==
137 137  
138 -{{error}}
139 -TODO for Denis: Add description here and point to the module documentation on extensions.xwiki.org. Explain its experimental state and how to test it.
140 -{{/error}}
138 +A new experimental security authorization module is now available and is aimed to replace the old right service API during the 4.x cycle. This new module provide its public API from the ##org.xwiki.security.authorization.AuthorizationManager## component. The whole authorization API has been rewritten from scratch with the following goals in mind:
141 141  
140 +* better performance by providing a ##SecurityCache## to cache both security rules and security access decisions.
141 +* allow extending the list of ##Right## by registering new rights with a declarative description.
142 +* allow customising the way the authorization decision are made, by providing a custom ##AuthorizationSettler## component.
143 +* stay independent from ##oldcore## and use proper interfaces to made the authorization process as much as possible independent from the rest.
144 +
145 +A bridge between this new security authorization module and the old implementation is also provided in ##org.xwiki.security.authorization.internal.XWikiCachingRightService## which could be used in xwiki.cfg to enable this new authorization manager as the default one. The new module could also be used side by side with the old implementation.
146 +
147 +The default implementation of the right settler, being written based on a fully restructured way to evaluate rights declaratively, has some subtle differences in the way security rules (right Xobjects) are interpreted and authorization decisions are made. Apart from improved consistency and yet to be discovered issues, the major differences still needing improvements are:
148 +
149 +* on an empty database, the guest user does not receive admin rights, and you need to enable and use superadmin to install an initial XAR.
150 +* in a multiwiki setup, user groups evaluated during decision are limited to those coming from the user wiki and those of the wiki of the targeted entity are not taken into account.
151 +
152 +The full documentation of this new module, in particular the way it now evaluate rights declaratively and allow augmenting and customising authorization decision is yet to be written. The new module provide a large Javadoc as a reference in the meantime. For the big picture, the new right service is now named ##AuthorizationManager##. Internally, it manipulates ##SecurityReference## (as well as ##UserSecurityReference## and ##GroupSecurityReference##, to represent entities, user and group), ##SecurityRule## (representing a right object) and ##SecurityAccess## (representing an access level in the old nomenclature), which are stored in a ##SecurityCache## using ##SecurityRuleEntry## (a set of rules) and ##SecurityAccessEntry## (the access of a given user). The ##AuthorizationManager## delegate cache management to a ##SecurityCacheLoader## which loads rules using a ##SecurityRuleLoader##; and delegate itself the access decision for a given user and a set of rules to an ##AuthorizationSettler##. This last one could be overridden to provide specific decision that could not be done in declarative mode.
153 +
142 142  == Miscellaneous ==
143 143  
144 144  * A new event ##ApplicationReadyEvent## is sent when the Application is ready to service requests. Event Listeners can now listen to this event.

Get Connected