[BlueBream] Document default security policy

Baiju M baiju.m.mail at gmail.com
Wed Jul 28 03:59:54 EDT 2010


Hi All,
        I think one of the important missing document is
about the default security policy in BB.

We are defining security policy in the "securitypolicy.zcml" file.
By default this file resides inside the project source
directory.  For example, if the project name is "tc.main",
the security configuration file will be in this path:
"src/tc/main/securitypolicy.zcml"
The security policy configuration file is included from
the main "configure.zcml" which is residing in the
same directory.

We need to explain:-

- What is security policy ?
- A brief overview of Principal/Role/Permission concepts
  used in the default security policy.
- A brief overview of the default security policy and its intent.
  We should mention that what is given there in "securitypolicy.zcml"
  is a sample file, which is recommended to change.
  In fact we have already have comment like this at the
  beginning of that file:
  <!-- This file contains sample security policy definition -->
- Explain each ZCML directives related to security policy
  (securityPolicy, unauthenticatedPrincipal, unauthenticatedGroup
   authenticatedGroup, everybodyGroup, role, grant, principal)
- Brief overview of each definition in the file (securitypolicy.zcml)
  May be this can be combined with the previous part.
- Explain how to add new permissions, roles
  Reccomentation for naming ID -- there should be "." character
  in the ID -- URL can be used as ID but not commonly used.
- Mention that HTTP basic authentication will be used by
  default (how it is coming ?) -- mention the other chapted
  about PAU (which is yet to be created)

Now I think, this chapter can be named as "Basic Security"
and incorporate content from here:
http://wiki.zope.org/bluebream/BasicSecurity
(Based on Stephan Richter's book)
Or we can have a chapter on BasicSecurity and
documentation about default security policy
could be another chapter.

May be we can include a *sidebar* about security framework
used to build the BB security - Checkers, Proxies etc.
(http://pypi.python.org/pypi/zope.security)

We should have a separate chapter on PAU.
And it should be mentioned from here as the
next step.  We need think more about
this chapter :)

If anyone want to work on this introductory chapter on
BB security, please let me know.

Please suggest if any other topic need to be covered.

BTW, I have added a ticket for this:
http://wiki.zope.org/bluebream/14DefaultSecurityPolicy

Regards,
Baiju M


More information about the bluebream mailing list