DHIS2 - Struts2 - Spring Security2

Hi people,

This is to announce alpha release of DHIS2 + Struts2 (s2) + Spring Security2 (ss2) integration. As s2 and ss2 are major and system wide change, they need intensive testing. Code is available at URL: https://code.launchpad.net/~dhis2-devs/dhis2/d2s2ss2 . S2 is most resent upgrade for webwork and ss2 is for acegy security, especially ss2 is used as is, without customization, each URL can have its own security credentials. From this standpoint we are free to define ROLES and set of roles (most common use cases into one role). All security concerns are now in one single XML file and easy to understand and exists independent of other frameworks in DHIS2. We can also use method level security, if method namings are appropriate using AOP. Please share your experiences, type of user roles you have, so we can adjust system to host that functionality.

regards,
murod

Delighted to see progress on this.

One thing that I’ve encountered (and which should become a blueprint), is that you would like to automatically generate users who only have access to subtrees (at a certain level).

The concrete example is that you have all the countries in the world (grouped into regions), and would like to have a user for each country who should not have access to data for any other contry. With 200 countries, you don’t want to do this manually…

Knut

···

On Fri, Aug 14, 2009 at 10:51 AM, Murodullo Latifov murodlatifov@yahoo.com wrote:

Hi people,

This is to announce alpha release of DHIS2 + Struts2 (s2) + Spring Security2 (ss2) integration. As s2 and ss2 are major and system wide change, they need intensive testing. Code is available at URL: https://code.launchpad.net/~dhis2-devs/dhis2/d2s2ss2 . S2 is most resent upgrade for webwork and ss2 is for acegy security, especially ss2 is used as is, without customization, each URL can have its own security credentials. From this standpoint we are free to define ROLES and set of roles (most common use cases into one role). All security concerns are now in one single XML file and easy to understand and exists independent of other frameworks in DHIS2. We can also use method level security, if method namings are appropriate using AOP. Please share your experiences, type of user roles you have, so we can adjust system to host that functionality.

regards,

murod


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp


Cheers,
Knut Staring

Delighted to see progress on this.

One thing that I’ve encountered (and which should become a blueprint), is that you would like to automatically generate users who only have access to subtrees (at a certain level).

The concrete example is that you have all the countries in the world (grouped into regions), and would like to have a user for each country who should not have access to data for any other contry. With 200 countries, you don’t want to do this manually…

I think if you have 200 users it is maybe a good use case for using something like ldap to manage them. For example you guys at WHO are probably all already maintained in an ActiveDirectory server for login to the network etc. Would be nice to be able to use the same usernames and passwords in dhis. I gather with the spring security 2 this would be quite easy to do.

Good to see progress on this.

Cheers
Bob

···

2009/8/14 Knut Staring knutst@gmail.com

Knut

On Fri, Aug 14, 2009 at 10:51 AM, Murodullo Latifov murodlatifov@yahoo.com wrote:

Hi people,

This is to announce alpha release of DHIS2 + Struts2 (s2) + Spring Security2 (ss2) integration. As s2 and ss2 are major and system wide change, they need intensive testing. Code is available at URL: https://code.launchpad.net/~dhis2-devs/dhis2/d2s2ss2 . S2 is most resent upgrade for webwork and ss2 is for acegy security, especially ss2 is used as is, without customization, each URL can have its own security credentials. From this standpoint we are free to define ROLES and set of roles (most common use cases into one role). All security concerns are now in one single XML file and easy to understand and exists independent of other frameworks in DHIS2. We can also use method level security, if method namings are appropriate using AOP. Please share your experiences, type of user roles you have, so we can adjust system to host that functionality.

regards,

murod


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp


Cheers,
Knut Staring


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Hi Knut,

Good point. There is no automatic assignment in security, one must be authenticated before accessing resources, but if you mean by assigning top org unit hierarchy to give access to subs, its possible (not implemented). Current implementation gives lots of possibilities to do that easily.
Add blueprint please, nice comment.

murod

···

From: Knut Staring knutst@gmail.com
To: Murodullo Latifov murodlatifov@yahoo.com
Cc: DHIS 2 developers dhis2-devs@lists.launchpad.net; Sundeep Sahay sundeep.sahay@yahoo.com; Jørn Braa jornbraa@gmail.com
Sent: Friday, August 14, 2009 2:28:00 PM
Subject: Re: [Dhis2-devs] DHIS2 - Struts2 - Spring Security2

Delighted to see progress on this.

One thing that I’ve encountered (and which should become a blueprint), is that you would like to automatically generate users who only have access to subtrees (at a certain level).

The concrete example is that you have all the countries in the world (grouped into regions), and would like to have a user for each country who should not have access to data for any other contry. With 200 countries, you don’t want to do this manually…

Knut

On Fri, Aug 14, 2009 at 10:51 AM, Murodullo Latifov murodlatifov@yahoo.com wrote:

Hi people,

This is to announce alpha release of DHIS2 + Struts2 (s2) + Spring Security2 (ss2) integration. As s2 and ss2 are major and system wide change, they need intensive testing. Code is available at URL: https://code.launchpad.net/~dhis2-devs/dhis2/d2s2ss2 . S2 is most resent upgrade for webwork and ss2 is for acegy security, especially ss2 is used as is, without customization, each URL can have its own security credentials. From this standpoint we are free to define ROLES and set of roles (most common use cases into one role). All security concerns are now in one single XML file and easy to understand and exists independent of other frameworks in DHIS2. We can also use method level security, if method namings are appropriate using AOP. Please share your experiences, type of user roles you have, so we can adjust system to host that functionality.

regards,

murod


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp


Cheers,
Knut Staring

Hi Bob,

Don’t agree, I don’t think LDAP gives something special, though it is there, we can activate it. Its useful when lazy guy does not want to login again, because he already logged into his windows machine and mostly have no time for this. In this case he can tick “remember me” once, actually new functionality on security, and every next time from that machine he will be authenticated automatically.

murod

···

From: Bob Jolliffe bobjolliffe@gmail.com
To: Knut Staring knutst@gmail.com
Cc: Murodullo Latifov murodlatifov@yahoo.com; Sundeep Sahay sundeep.sahay@yahoo.com; Jørn Braa jornbraa@gmail.com; DHIS 2 developers dhis2-devs@lists.launchpad.net
Sent: Friday, August 14, 2009 2:36:53 PM
Subject: Re: [Dhis2-devs] DHIS2 - Struts2 - Spring Security2

2009/8/14 Knut Staring knutst@gmail.com

Delighted to see progress on this.

One thing that I’ve encountered (and which should become a blueprint), is that you would like to automatically generate users who only have access to subtrees (at a certain level).

The concrete example is that you have all the countries in the world (grouped into regions), and would like to have a user for each country who should not have access to data for any other contry. With 200 countries, you don’t want to do this manually…

I think if you have 200 users it is maybe a good use case for using something like ldap to manage them. For example you guys at WHO are probably all already maintained in an ActiveDirectory server for login to the network etc. Would be nice to be able to use the same usernames and passwords in dhis. I gather with the spring security 2 this would be quite easy to do.

Good to see progress on this.

Cheers
Bob

Knut

On Fri, Aug 14, 2009 at 10:51 AM, Murodullo Latifov murodlatifov@yahoo.com wrote:

Hi people,

This is to announce alpha release of DHIS2 + Struts2 (s2) + Spring Security2 (ss2) integration. As s2 and ss2 are major and system wide change, they need intensive testing. Code is available at URL: https://code.launchpad.net/~dhis2-devs/dhis2/d2s2ss2 . S2 is most resent upgrade for webwork and ss2 is for acegy security, especially ss2 is used as is, without customization, each URL can have its own security credentials. From this standpoint we are free to define ROLES and set of roles (most common use cases into one role). All security concerns are now in one single XML file and easy to understand and exists independent of other frameworks in DHIS2. We can also use method level security, if method namings are appropriate using AOP. Please share your experiences, type of user roles you have, so we can adjust system to host that functionality.

regards,

murod


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp


Cheers,
Knut Staring


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Sorry for top-posting, in the middle of a research proposal here :slight_smile:

If we have concrete plans for this kind of user scale, I definately think we should evaluate the user/authn/authz architecture in more detail. I'm not immediately convinced there are quick wins to be gained here, without having a really relaxed security scheme (And then, what's the value?). A quick question; how would we know the correct user group get a hold of their username and password?

Jo

···

Den 14. aug.. 2009 kl. 11.25 skrev Murodullo Latifov:

Hi Bob,

Don't agree, I don't think LDAP gives something special, though it is there, we can activate it. Its useful when lazy guy does not want to login again, because he already logged into his windows machine and mostly have no time for this. In this case he can tick "remember me" once, actually new functionality on security, and every next time from that machine he will be authenticated automatically.

murod

From: Bob Jolliffe <bobjolliffe@gmail.com>
To: Knut Staring <knutst@gmail.com>
Cc: Murodullo Latifov <murodlatifov@yahoo.com>; Sundeep Sahay <sundeep.sahay@yahoo.com>; Jørn Braa <jornbraa@gmail.com>; DHIS 2 developers <dhis2-devs@lists.launchpad.net>
Sent: Friday, August 14, 2009 2:36:53 PM
Subject: Re: [Dhis2-devs] DHIS2 - Struts2 - Spring Security2

2009/8/14 Knut Staring <knutst@gmail.com>
Delighted to see progress on this.

One thing that I've encountered (and which should become a blueprint), is that you would like to automatically generate users who only have access to subtrees (at a certain level).

The concrete example is that you have all the countries in the world (grouped into regions), and would like to have a user for each country who should not have access to data for any other contry. With 200 countries, you don't want to do this manually...

I think if you have 200 users it is maybe a good use case for using something like ldap to manage them. For example you guys at WHO are probably all already maintained in an ActiveDirectory server for login to the network etc. Would be nice to be able to use the same usernames and passwords in dhis. I gather with the spring security 2 this would be quite easy to do.

Good to see progress on this.

Cheers
Bob

Knut

On Fri, Aug 14, 2009 at 10:51 AM, Murodullo Latifov <murodlatifov@yahoo.com > > wrote:
Hi people,

This is to announce alpha release of DHIS2 + Struts2 (s2) + Spring Security2 (ss2) integration. As s2 and ss2 are major and system wide change, they need intensive testing. Code is available at URL: https://code.launchpad.net/~dhis2-devs/dhis2/d2s2ss2 . S2 is most resent upgrade for webwork and ss2 is for acegy security, especially ss2 is used as is, without customization, each URL can have its own security credentials. From this standpoint we are free to define ROLES and set of roles (most common use cases into one role). All security concerns are now in one single XML file and easy to understand and exists independent of other frameworks in DHIS2. We can also use method level security, if method namings are appropriate using AOP. Please share your experiences, type of user roles you have, so we can adjust system to host that functionality.

regards,
murod

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp

--
Cheers,
Knut Staring

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp

Hi Jo,

The call is to tell us what kind of users you want to see and what access levels they have. For ordinary user to have access to change its password itself, you have to assign him role ROLE_dhis-web-maintenance-user, but its initial set, we are calling for more options ans intensive tests. You can assign user role as before through user settings menu option. Sorry links are not i18nized for now.

murod

···

----- Original Message ----
From: Jo Størset <storset@gmail.com>
To: Murodullo Latifov <murodlatifov@yahoo.com>
Cc: Bob Jolliffe <bobjolliffe@gmail.com>; Knut Staring <knutst@gmail.com>; Sundeep Sahay <sundeep.sahay@yahoo.com>; Jørn Braa <jornbraa@gmail.com>; DHIS 2 developers <dhis2-devs@lists.launchpad.net>
Sent: Friday, August 14, 2009 3:27:06 PM
Subject: Re: [Dhis2-devs] DHIS2 - Struts2 - Spring Security2

Sorry for top-posting, in the middle of a research proposal here :slight_smile:

If we have concrete plans for this kind of user scale, I definately think we should evaluate the user/authn/authz architecture in more detail. I'm not immediately convinced there are quick wins to be gained here, without having a really relaxed security scheme (And then, what's the value?). A quick question; how would we know the correct user group get a hold of their username and password?

Jo

Den 14. aug.. 2009 kl. 11.25 skrev Murodullo Latifov:

Hi Bob,

Don't agree, I don't think LDAP gives something special, though it is there, we can activate it. Its useful when lazy guy does not want to login again, because he already logged into his windows machine and mostly have no time for this. In this case he can tick "remember me" once, actually new functionality on security, and every next time from that machine he will be authenticated automatically.

murod

From: Bob Jolliffe <bobjolliffe@gmail.com>
To: Knut Staring <knutst@gmail.com>
Cc: Murodullo Latifov <murodlatifov@yahoo.com>; Sundeep Sahay <sundeep.sahay@yahoo.com>; Jørn Braa <jornbraa@gmail.com>; DHIS 2 developers <dhis2-devs@lists.launchpad.net>
Sent: Friday, August 14, 2009 2:36:53 PM
Subject: Re: [Dhis2-devs] DHIS2 - Struts2 - Spring Security2

2009/8/14 Knut Staring <knutst@gmail.com>
Delighted to see progress on this.

One thing that I've encountered (and which should become a blueprint), is that you would like to automatically generate users who only have access to subtrees (at a certain level).

The concrete example is that you have all the countries in the world (grouped into regions), and would like to have a user for each country who should not have access to data for any other contry. With 200 countries, you don't want to do this manually...

I think if you have 200 users it is maybe a good use case for using something like ldap to manage them. For example you guys at WHO are probably all already maintained in an ActiveDirectory server for login to the network etc. Would be nice to be able to use the same usernames and passwords in dhis. I gather with the spring security 2 this would be quite easy to do.

Good to see progress on this.

Cheers
Bob

Knut

On Fri, Aug 14, 2009 at 10:51 AM, Murodullo Latifov <murodlatifov@yahoo.com> wrote:
Hi people,

This is to announce alpha release of DHIS2 + Struts2 (s2) + Spring Security2 (ss2) integration. As s2 and ss2 are major and system wide change, they need intensive testing. Code is available at URL: https://code.launchpad.net/~dhis2-devs/dhis2/d2s2ss2 . S2 is most resent upgrade for webwork and ss2 is for acegy security, especially ss2 is used as is, without customization, each URL can have its own security credentials. From this standpoint we are free to define ROLES and set of roles (most common use cases into one role). All security concerns are now in one single XML file and easy to understand and exists independent of other frameworks in DHIS2. We can also use method level security, if method namings are appropriate using AOP. Please share your experiences, type of user roles you have, so we can adjust system to host that functionality.

regards,
murod

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp

--Cheers,
Knut Staring

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp

Hi Murod

Hi Bob,

Don’t agree, I don’t think LDAP gives something special, though it is there, we can activate it. Its useful when lazy guy does not want to login again, because he already logged into his windows machine and mostly have no time for this.

I don’t think ldap has really much to do with the lazy guy who doesn’t want to login again. Its more about the lazy system/network administrator. In an enterprise environment (not a small clinic, but maybe WHO, a national or even large district health department office) it is quite likely that there is an existing directory server - typically an AD or Novell setup. When you are responsible for that kind of environment you want to avoid a multiplicity of new systems being placed on the network which require their own separate administration of users. So if you are smart you place in your procurement guidelines that any new system being purchased must integrate into the existing directory setup. This is also nice for tender evaluations because its an easy box to tick and eliminate lots of systems on objective grounds. That is why it is a standard feature on almost any enterprise scale software you might think of - alfresco, liferay, plone, jira, zenoss, sharepoint, zimbra, exchange, sharepoint etc etc.

Now this array is not our common use case, but in an enterprise of 200 users it is much more likely that dhis should be expected to play along nicely with everything else. And it’s great that spring security allows it. Don’t get me wrong - I really don’t think it is a priority. Just welcoming the new possibility we now have.

In this case he can tick “remember me” once, actually new functionality on security, and every next time from that machine he will be authenticated automatically.

I think we should consider disabling this feature. Its not a good idea to allow this.

Anyway, don’t mean to sabotage your call … you are calling for use cases for user roles.

Regards
Bob

···

2009/8/14 Murodullo Latifov murodlatifov@yahoo.com

murod


From: Bob Jolliffe bobjolliffe@gmail.com

To: Knut Staring knutst@gmail.com
Cc: Murodullo Latifov murodlatifov@yahoo.com; Sundeep Sahay sundeep.sahay@yahoo.com; Jørn Braa jornbraa@gmail.com; DHIS 2 developers dhis2-devs@lists.launchpad.net

Sent: Friday, August 14, 2009 2:36:53 PM

Subject: Re: [Dhis2-devs] DHIS2 - Struts2 - Spring Security2

2009/8/14 Knut Staring knutst@gmail.com

Delighted to see progress on this.

One thing that I’ve encountered (and which should become a blueprint), is that you would like to automatically generate users who only have access to subtrees (at a certain level).

The concrete example is that you have all the countries in the world (grouped into regions), and would like to have a user for each country who should not have access to data for any other contry. With 200 countries, you don’t want to do this manually…

I think if you have 200 users it is maybe a good use case for using something like ldap to manage them. For example you guys at WHO are probably all already maintained in an ActiveDirectory server for login to the network etc. Would be nice to be able to use the same usernames and passwords in dhis. I gather with the spring security 2 this would be quite easy to do.

Good to see progress on this.

Cheers
Bob

Knut

On Fri, Aug 14, 2009 at 10:51 AM, Murodullo Latifov murodlatifov@yahoo.com wrote:

Hi people,

This is to announce alpha release of DHIS2 + Struts2 (s2) + Spring Security2 (ss2) integration. As s2 and ss2 are major and system wide change, they need intensive testing. Code is available at URL: https://code.launchpad.net/~dhis2-devs/dhis2/d2s2ss2 . S2 is most resent upgrade for webwork and ss2 is for acegy security, especially ss2 is used as is, without customization, each URL can have its own security credentials. From this standpoint we are free to define ROLES and set of roles (most common use cases into one role). All security concerns are now in one single XML file and easy to understand and exists independent of other frameworks in DHIS2. We can also use method level security, if method namings are appropriate using AOP. Please share your experiences, type of user roles you have, so we can adjust system to host that functionality.

regards,

murod


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp


Cheers,
Knut Staring


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

My comment was probably not very good. I was trying to understand the example Knut had, probably not understanding what it means to "generate users". I´ll keep away until I actually have time to look at these things myself :slight_smile:

Jo

···

Den 14. aug.. 2009 kl. 12.12 skrev Murodullo Latifov:

Hi Jo,

The call is to tell us what kind of users you want to see and what access levels they have. For ordinary user to have access to change its password itself, you have to assign him role ROLE_dhis-web-maintenance-user, but its initial set, we are calling for more options ans intensive tests. You can assign user role as before through user settings menu option. Sorry links are not i18nized for now.

I’ve been playing around with this branch for the last 2 days… and congratulations with the move to Struts2… Interesting part of spring-security is where all url security is managed through a single xml. Not sure how we will use the UI to define these roles??

But most of the old code is still existing and places where the access denied error comes, is where I see the new spring security being used. Im not quite sure still how the modules will be moving to use these changes. I believe its going to be some effort from now on…

Once I think we can move fully to these changes (which IMO will be a long effort), I hope we will see some performance improvements because we don’t scan through the module xmls any more… This branch at the moment is very much like our trunk and hopefully you are removing the old code out.

···

Regards,
Saptarshi PURKAYASTHA
Director R & D, HISP India
Health Information Systems Programme

My Tech Blog: http://sunnytalkstech.blogspot.com

You Live by CHOICE, Not by CHANCE

2009/8/14 Jo Størset storset@gmail.com

Den 14. aug… 2009 kl. 12.12 skrev Murodullo Latifov:

Hi Jo,

The call is to tell us what kind of users you want to see and what access levels they have. For ordinary user to have access to change its password itself, you have to assign him role ROLE_dhis-web-maintenance-user, but its initial set, we are calling for more options ans intensive tests. You can assign user role as before through user settings menu option. Sorry links are not i18nized for now.

My comment was probably not very good. I was trying to understand the example Knut had, probably not understanding what it means to “generate users”. I´ll keep away until I actually have time to look at these things myself :slight_smile:

Jo


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Hi Jo,

I might got Knut point incorrectly. If this is the case, Bob's suggestion is quite appropriate. If there is existing authentication mechanism like Active Directory (e.g microsoft LDAP implementation), system could be adjusted to use LDAP, but not provided out of the box. The reason is that not every installation has AD or LDAP ready for use (e.g. Windows XP), and we have many single machine use cases.
In case of already existing LDAP server, its the metter of changing authentication provider to one of LDAP. In this case user roles also should be managed by LDAP server.

murod

···

----- Original Message ----
From: Jo Størset <storset@gmail.com>
To: Murodullo Latifov <murodlatifov@yahoo.com>
Cc: Bob Jolliffe <bobjolliffe@gmail.com>; Knut Staring <knutst@gmail.com>; Sundeep Sahay <sundeep.sahay@yahoo.com>; Jørn Braa <jornbraa@gmail.com>; DHIS 2 developers <dhis2-devs@lists.launchpad.net>
Sent: Friday, August 14, 2009 5:06:17 PM
Subject: Re: [Dhis2-devs] DHIS2 - Struts2 - Spring Security2

Den 14. aug.. 2009 kl. 12.12 skrev Murodullo Latifov:

Hi Jo,

The call is to tell us what kind of users you want to see and what access levels they have. For ordinary user to have access to change its password itself, you have to assign him role ROLE_dhis-web-maintenance-user, but its initial set, we are calling for more options ans intensive tests. You can assign user role as before through user settings menu option. Sorry links are not i18nized for now.

My comment was probably not very good. I was trying to understand the example Knut had, probably not understanding what it means to "generate users". I´ll keep away until I actually have time to look at these things myself :slight_smile:

Jo

Hi,

···

From: Saptarshi Purkayastha sunbiz@gmail.com
To: Murodullo Latifov murodlatifov@yahoo.com
Cc: Jo Størset storset@gmail.com; Sundeep Sahay sundeep.sahay@yahoo.com; Jørn Braa jornbraa@gmail.com; DHIS 2 developers dhis2-devs@lists.launchpad.net
Sent: Monday, August 17, 2009 4:17:46 PM
Subject: Re: [Dhis2-devs] DHIS2 - Struts2 - Spring Security2

I’ve been playing around with this branch for the last 2 days… and congratulations with the move to Struts2… Interesting part of spring-security is where all url security is managed through a single xml. Not sure how we will use the UI to define these roles??

Roles are created as before, through maintenance-user module. We need to create some most used cases (e.g. admin, user, data entry) as well as individual operation authorities. Each available URL can be assigned to role (or group of URLs using expression). From UI one can select predefined role such as admin or user, or create another role with custom selection of available authorities plus predefined roles if needed.

But most of the old code is still existing and places where the access denied error comes, is where I see the new spring security being used. Im not quite sure still how the modules will be moving to use these changes. I believe its going to be some effort from now on…

Old code is there but muted, it has no use in current settings, none of them are populated as spring beans.xml. If you see Access denied in blank white page, that means new security is doing that. As for modular design, spring security XML config is used by all, individually or in a set of selected modules. Each module canhave its security authorities and roles in that xml, while module is not in use, these authorities remian unused.

Once I think we can move fully to these changes (which IMO will be a long effort), I hope we will see some performance improvements because we don’t scan through the module xmls any more… This branch at the moment is very much like our trunk and hopefully you are removing the old code out.

I’ll remove old code as obsolete or deprecated. Now and before on each iteration user credentials are rechecked, because all processes go through struts interceptors and they are called each time new URL comes in. This might be overhead, looking for ways to reduce it more.

murod


Regards,
Saptarshi PURKAYASTHA
Director R & D, HISP India
Health Information Systems Programme

My Tech Blog: http://sunnytalkstech.blogspot.com

You Live by CHOICE, Not by CHANCE

2009/8/14 Jo Størset storset@gmail.com

Den 14. aug… 2009 kl. 12.12 skrev Murodullo Latifov:

Hi Jo,

The call is to tell us what kind of users you want to see and what access levels they have. For ordinary user to have access to change its password itself, you have to assign him role ROLE_dhis-web-maintenance-user, but its initial set, we are calling for more options ans intensive tests. You can assign user role as before through user settings menu option. Sorry links are not i18nized for now.

My comment was probably not very good. I was trying to understand the example Knut had, probably not understanding what it means to “generate users”. I´ll keep away until I actually have time to look at these things myself :slight_smile:

Jo


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Hi,

I am not able to log in on existing or new databases. Admin/district
does not work, how does one log in?

Lars

I was using an existing database and used the same user/pass I had in that database and was able to login…
Does the login “please wait” go on forever?? If thats the case, then it is another bug that I encountered once on our trunk, which can be solved by restarting tomcat.

···

Regards,
Saptarshi PURKAYASTHA
Director R & D, HISP India
Health Information Systems Programme

My Tech Blog: http://sunnytalkstech.blogspot.com

You Live by CHOICE, Not by CHANCE

2009/8/19 Lars Helge Øverland larshelge@gmail.com

Hi,

I am not able to log in on existing or new databases. Admin/district

does not work, how does one log in?

Lars

Sorry it works with existing databases. It does not work on new databases.

But I am not getting to see any modules in the top menu, even if
logging in with an admin user? Maybe the user authorities must be set
up again, but I am not able to get to the user module. When I enter
the URL manually i get "access denied!". Did you have any successs
here?

···

On Wed, Aug 19, 2009 at 4:35 PM, Saptarshi Purkayastha<sunbiz@gmail.com> wrote:

I was using an existing database and used the same user/pass I had in that
database and was able to login...
Does the login "please wait" go on forever?? If thats the case, then it is
another bug that I encountered once on our trunk, which can be solved by
restarting tomcat.

Hi Lars,

New database does not create admin/dis if one does not exists, working on it to do by startup routine check. I was discussing this issue with you earlier, it is not spring security responsibility to create user pass. For existing database you should have ROLE_ALL in your role list.

murod

···

From: Saptarshi Purkayastha sunbiz@gmail.com
To: Lars Helge Øverland larshelge@gmail.com
Cc: Murodullo Latifov murodlatifov@yahoo.com; Sundeep Sahay sundeep.sahay@yahoo.com; Jørn Braa jornbraa@gmail.com; DHIS 2 developers dhis2-devs@lists.launchpad.net
Sent: Wednesday, August 19, 2009 8:05:37 PM
Subject: Re: [Dhis2-devs] DHIS2 - Struts2 - Spring Security2

I was using an existing database and used the same user/pass I had in that database and was able to login…
Does the login “please wait” go on forever?? If thats the case, then it is another bug that I encountered once on our trunk, which can be solved by restarting tomcat.


Regards,
Saptarshi PURKAYASTHA
Director R & D, HISP India
Health Information Systems Programme

My Tech Blog: http://sunnytalkstech.blogspot.com

You Live by CHOICE, Not by CHANCE

2009/8/19 Lars Helge Øverland larshelge@gmail.com

Hi,

I am not able to log in on existing or new databases. Admin/district

does not work, how does one log in?

Lars

Hi Lars,

···

----- Original Message ----
From: Lars Helge Øverland <larshelge@gmail.com>
To: Saptarshi Purkayastha <sunbiz@gmail.com>
Cc: Murodullo Latifov <murodlatifov@yahoo.com>; DHIS 2 developers <dhis2-devs@lists.launchpad.net>
Sent: Wednesday, August 19, 2009 8:17:29 PM
Subject: Re: [Dhis2-devs] DHIS2 - Struts2 - Spring Security2

On Wed, Aug 19, 2009 at 4:35 PM, Saptarshi Purkayastha<sunbiz@gmail.com> wrote:

I was using an existing database and used the same user/pass I had in that
database and was able to login...
Does the login "please wait" go on forever?? If thats the case, then it is
another bug that I encountered once on our trunk, which can be solved by
restarting tomcat.

Sorry it works with existing databases. It does not work on new databases.

But I am not getting to see any modules in the top menu, even if
logging in with an admin user? Maybe the user authorities must be set
up again, but I am not able to get to the user module. When I enter
the URL manually i get "access denied!". Did you have any successs
here?

If user has ROLE_ALL it is provided all menu options, otherwise that user has to be granted module menu, that is to select role with module name on it. Prefix ROLE_ was added for all roles, M_, F_ and "" are obsolete now (We can activate them, if needed, but i think this one is better). Tough, but secure, maybe not right decision to do so, but each single URL can have it's role. User can have access to menu, but left menu will be access denied, unless user has that authority.
To see all in work create new user role and see. Look at security-beans.xml.
We should think of getting existing roles into new counterparts, when people decide to upgrade.

murod

A comment: One problem with having all security concerns in one single
XML file is modularization and local modules. How should the local
indian/vietnamese modules deal with this? How can we easily swap
modules in and out with this setup?

Lars

···

On Fri, Aug 14, 2009 at 10:51 AM, Murodullo Latifov<murodlatifov@yahoo.com> wrote:

Hi people,

This is to announce alpha release of DHIS2 + Struts2 (s2) + Spring Security2 (ss2) integration. As s2 and ss2 are major and system wide change, they need intensive testing. Code is available at URL: https://code.launchpad.net/~dhis2-devs/dhis2/d2s2ss2 . S2 is most resent upgrade for webwork and ss2 is for acegy security, especially ss2 is used as is, without customization, each URL can have its own security credentials. From this standpoint we are free to define ROLES and set of roles (most common use cases into one role). All security concerns are now in one single XML file and easy to understand and exists independent of other frameworks in DHIS2. We can also use method level security, if method namings are appropriate using AOP. Please share your experiences, type of user roles you have, so we can adjust system to host that functionality.

regards,
murod

Hi Lars,

There is only one way - to add new roles and URLs into signle xml file. I think there is a way to spread security into many bean xmls (one could be using "parent" directive, not sure), but to have all in one point is better. If module is not used, its roles and URLs still can be there - with no effect.

murod

···

----- Original Message ----
From: Lars Helge Øverland <larshelge@gmail.com>
To: Murodullo Latifov <murodlatifov@yahoo.com>
Cc: DHIS 2 developers <dhis2-devs@lists.launchpad.net>
Sent: Friday, August 21, 2009 2:30:19 PM
Subject: Re: [Dhis2-devs] DHIS2 - Struts2 - Spring Security2

On Fri, Aug 14, 2009 at 10:51 AM, Murodullo Latifov<murodlatifov@yahoo.com> wrote:

Hi people,

This is to announce alpha release of DHIS2 + Struts2 (s2) + Spring Security2 (ss2) integration. As s2 and ss2 are major and system wide change, they need intensive testing. Code is available at URL: https://code.launchpad.net/~dhis2-devs/dhis2/d2s2ss2 . S2 is most resent upgrade for webwork and ss2 is for acegy security, especially ss2 is used as is, without customization, each URL can have its own security credentials. From this standpoint we are free to define ROLES and set of roles (most common use cases into one role). All security concerns are now in one single XML file and easy to understand and exists independent of other frameworks in DHIS2. We can also use method level security, if method namings are appropriate using AOP. Please share your experiences, type of user roles you have, so we can adjust system to host that functionality.

regards,
murod

A comment: One problem with having all security concerns in one single
XML file is modularization and local modules. How should the local
indian/vietnamese modules deal with this? How can we easily swap
modules in and out with this setup?

Lars

Yes. But it is not pretty and it wouldn't really be modularization
anymore. What is specific for a module should be inside the module.

···

2009/8/23 Murodullo Latifov <murodlatifov@yahoo.com>:

Hi Lars,

There is only one way - to add new roles and URLs into signle xml file. I think there is a way to spread security into many bean xmls (one could be using "parent" directive, not sure), but to have all in one point is better. If module is not used, its roles and URLs still can be there - with no effect.

murod