[Zope3-dev] Re: Security Model

Florent Guillaume fg at nuxeo.com
Wed Jan 7 06:06:34 EST 2004 

Jim wrote wrote:
> I'll just note that an upcoming project will be to refactor the
> authorization system in a way that should make it much more obvious
> how to implement the sorts of systems sketched out in this thread.
> 
> This is a possible project for the F12g sprint in January.
> 
> As a matter of jargon, I see Zope 3's security system as consisting
> of 4 parts.
> 
> 1. A system for declaring the permissions needed to access
>     names in objects or classes of objects. I don't have a good name
>     for this. (Security requirements? Permission requirements?)
> 
> 2. A system for enforcing permission requirements. This is implemented
>     via security proxies.  In the future, it may involve a combination of
>     security proxies and code manipulation.  I think a good name for
>     this might be the protection system.
> 
>     This system is somewhat pluggable through checker components, which are
>     used to define the actual rules used by security proxies.
> 
> 3. A system for assigning principals to requests. This is the authentication
>     system.  It is pluggable through the provision of authentication services.
> 
> 4. A system for deciding whether principals have permissions.  This is
>     the authorization system.  It is pluggable through the provision of
>     a security proxy and associated infrastructure (registered components)
>     to manage authrization data. Different security policies will require
>     different data, depending on the underlying model.

In PluggableUserFolder we have found it important to separate
authentication in two phases that may be treated by different pluggins:

   * Identification: The way the client tells the server who the
     user is. When it comes to web, this is typically methods like
     Basic HTTP Authentication, Cookies or SSL Certificates.

   * Authentication: Making sure the user is who he/she is. This typically
     involves looking up the user in a user database and validating the users
     password.

Florent

-- 
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87  http://nuxeo.com  mailto:fg at nuxeo.com

More information about the Zope3-dev mailing list