jsecurity VS acegi

> Dear All,
>
> I've been planning to use either one of these 2 security options.   But I
> haven't decide it yet because these each one has 1 feature I like.  I plan
> to use it in intranet site where user can create and define its own security
> policy at runtime.  
>
> Frankly speaking I lean more towards ACEGI on this one because user and
> security are created at runtime(You don't need SecurityFilter...), but I
> really like Jsecurity plugin taglib where you can specify fine grained view
> down to each field.
>  

>
> James,
>
> I plan to make the role dynamic as well.  It is easier for me.
>
> Best Regards,
>
> Joni
>
> Joni,
>
> In JSecurity you can define all your filters on a role basis.  If you have
> planned ahead there would be no need to re-code for each new user, jsut
> assign them to a certain role.  That said having played with both I
> personally currently favour Acegi as I like the requestMapping style of
> securing things.
>
> James Hughes | Senior Software Engineer | Kainos | M: +353 (0)877 931 634 |
> j.hughes@...
>
> P Please consider the environment and do not print this mail unless
> necessary
> --
> View this message in context: http://www.nabble.com/jsecurity-VS-acegi-tp17272804p17274222.html
> Sent from the grails - user mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>    http://xircles.codehaus.org/manage_email
>
>
>

>
> Hi there,
>
> I just notice your taglib test(AuthorizeTagLibTest) in plugin folder, I
> might play with it some more.  Somehow I miss that from your docs...
>
> The only thing remains is to create some manager program where I can specify
> each role permision for each domain fields.
>
> For example:
>
> class DomainFoo{
>    String blah;
> }
>
> then you have another domain to store your role
>
> class DomainRolePermission{
>   String domainName;
>   Role  theRole;
>   short permisionLevel;
> }
>
> Then I need to write a taglib something similar like this...
> <g:fieldVisibility value="${permisionLevel}"> ...
>
> the permisionLevel could be: read, write, hidden
>
> Then it will render text box if writeable, or hidden input, etc....
>
> I am actually planning to write this because its pretty simple
> actually(maybe).  But if you want to include that, it will be superb -- I'll
> owe you a beer for that :)
>
>
> Best Regards,
>
> J
>
> --
> View this message in context: http://www.nabble.com/jsecurity-VS-acegi-tp17272804p17274871.html
> Sent from the grails - user mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>    http://xircles.codehaus.org/manage_email
>
>
>

> I may not be understanding what you're saying Jon, but I believe you're
> saying this:
>
> Your user wants to be able to define which roles can access function F.  You
> don't want to hard-code roles R and S  in advance to access the function F,
> but allow the end user to be able to define his own roles, and then say that
> those permissions can access the function. Is that correct?
>
> If so there are ways of doing that with Jsecurity. For instance, you could
> say that permission P is required to access the function (for instance,
> Modify Book), and then programatically, at run time, allow the end security
> admin to choose which users have that permission via JsecUserPermissionRel
> or JsecRolePermissionRel.
>
>
>
> On Fri, May 16, 2008 at 8:06 AM, Jon.S <bulkmailme@...> wrote:
>>
>> I just having problem with defining all securityFilter and assigning to
>> certain role in advance.  I rather like my customer to define its own role
>> and user.  Because it seems to me that if I need to add new security
>> permision into the filter I need to repackage my application to war file.
>> But correct me if I'm wrong on this.
>>
>> It's like what had shown in ACEGI tutorial where you can create new role,
>> and assign this role permision(such as restrict the role's url).
>>
>> Best Regards,
>>
>> J
>> --
>> View this message in context:
>> http://www.nabble.com/jsecurity-VS-acegi-tp17272804p17275557.html
>> Sent from the grails - user mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this list, please visit:
>>
>>    http://xircles.codehaus.org/manage_email
>>
>>
>
>
>
> --
> Ricardo J. Méndez
> http://ricardo.strangevistas.net/

> 2008/5/16 Jon.S <bulkmailme@...>:
>>
>> I just having problem with defining all securityFilter and assigning to
>> certain role in advance.  I rather like my customer to define its own role
>> and user.  Because it seems to me that if I need to add new security
>> permision into the filter I need to repackage my application to war file.
>> But correct me if I'm wrong on this.
>>
>> It's like what had shown in ACEGI tutorial where you can create new role,
>> and assign this role permision(such as restrict the role's url).
>
> Ah, I've read the tutorial now so I know what you're talking about :)
> This is possible, but would require some work on your part. So in this
> particular case, it may be better to go with the Acegi plugin.
>
> I was about to explain how to do this with the JSecurity plugin, but
> it requires some serious thought. One approach would be to dynamically
> add Grails filters, but I don't know how feasible that is. The only
> other option I think is to have a single filter that matches all pages
> and then does some pattern matching against something akin to
> RequestMap instances in the database. This wouldn't be easy, but is
> certainly doable. Whether it's a feature that's worth adding to the
> JSecurity plugin depends on what the users think :)
>
> Regards,
>
> Peter
>
> --
> Software Engineer
> G2One, Inc.
> http://www.g2one.com/
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>    http://xircles.codehaus.org/manage_email
>
>
>

> I vote for it - the ability to specify requestMappings to the database
> would be nice.
>
> However my previous email stands as a valid solution.  And I think it
> is the ideal solution, and here's why:
>
> If an admin can create a user or delete a user, or modify a forum
> post, or whatever - these are all actions related to application
> functionality core to what your system does.
>
> The fact that this functionality is executed based on what
> controller/url you visit is irrelevant.  In my opinion, permissioning
> Controllers or URLs is a backwards way to think of the problem - its
> inherently tied to how the GUI operates, which is secondary to how
> your business logic should operate.
>
> Your code _should_ perform permission checks based on raw permission
> types (JSecurity supports Strings as well if you don't want to code
> Permission classes).
>
> This has big implications for other plugins:  Other plugins could
> export somehow the Permission types (along with possible actions that
> you can perform for a given type) that they use to control access.
> The JSecurity plugin could get these types, and create a GSP page that
> dynamically shows you all permissions available to a system, and an
> admin could check off permission types & action combinations that they
> want to assign to specific roles.  It could be a unified dynamic
> security functionality available to _any_ plugin, all without
> requiring the plugin developers to code this themselves.
>
> Incredibly powerful if you think about business logic checks and stop
> thinking about which urls you visit.
>
> Cheers,
>
> Les
>
> On Fri, May 16, 2008 at 10:57 AM, Peter Ledbrook <peter@...> wrote:
>> 2008/5/16 Jon.S <bulkmailme@...>:
>>>
>>> I just having problem with defining all securityFilter and assigning to
>>> certain role in advance.  I rather like my customer to define its own role
>>> and user.  Because it seems to me that if I need to add new security
>>> permision into the filter I need to repackage my application to war file.
>>> But correct me if I'm wrong on this.
>>>
>>> It's like what had shown in ACEGI tutorial where you can create new role,
>>> and assign this role permision(such as restrict the role's url).
>>
>> Ah, I've read the tutorial now so I know what you're talking about :)
>> This is possible, but would require some work on your part. So in this
>> particular case, it may be better to go with the Acegi plugin.
>>
>> I was about to explain how to do this with the JSecurity plugin, but
>> it requires some serious thought. One approach would be to dynamically
>> add Grails filters, but I don't know how feasible that is. The only
>> other option I think is to have a single filter that matches all pages
>> and then does some pattern matching against something akin to
>> RequestMap instances in the database. This wouldn't be easy, but is
>> certainly doable. Whether it's a feature that's worth adding to the
>> JSecurity plugin depends on what the users think :)
>>
>> Regards,
>>
>> Peter
>>
>> --
>> Software Engineer
>> G2One, Inc.
>> http://www.g2one.com/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this list, please visit:
>>
>>    http://xircles.codehaus.org/manage_email
>>
>>
>>
>