[Zope3-dev] RFC: Unification of requests and security contexts through Use

Jim Fulton jim at zope.com
Sat Jan 17 10:30:53 EST 2004


Sidnei da Silva wrote:
> On Fri, Jan 16, 2004 at 03:50:23PM -0500, Jim Fulton wrote:
> | 
> | Yesterday, Steve and I came up with some ideas for:
> | 
> |   - Improving the management of security contexts
> | 
> |   - Conceptually unifying security and presentation.  This isn't something
> |     we set out to do, but rather something that became apparent in our 
> |     discussions.
> | 
> | See:
> | 
> |   http://dev.zope.org/Zope3/UnificationOfRequestsAndSecurityContextsThroughUse
> 
> It looks pretty good IMHO, specially for removing the lookup of the
> security context. One thing hat I would like to see is a more detailed
> description of the lifecycle of a use. eg: how it is registered, when
> it is created, if a Use can be shared between proxies, etc.

OK, I've added some text to answer these questions.

> If I understand correctly, a Use is the equivalent of a security
> context?

Not quite.  I see the use having a much broader role.  We will change
the security framework to use the use where we now use the security
context, but I think that the use will be used for much more.

For example, in an application like Zope, where location is important,
we might associate and location with a use. Then, when we need to look up
components based on location but don't have a location handy (e.g. because we
are working with an object that doesn't maintain location), we could get
a location from the use.

 > I wonder if it could help on improving the lookup of
> principal roles for example. Currently, roles are looked up several
> times (sometimes 40+) per request, per location.

Possibly.  On a separate, but related note, the work that Steve and
Chris and I have been doing wrt security this week has been aimed at
making it much clearer how the authorization system fits into the larger
security architecture. We hope to make it more obvious to people how
they would replace the authorization system to provide features they need,
to provide greater performance or auditing, and to avoid paying, in terms
of performance, for features that they don't need.

> | In explaining this to some folks here at ZC, there was quite a bit of 
> | discussion
> | about terminology.  The most controversal aspect of which was the continued 
> | use
> | of "request" as a name for an actor's participation, at least in a browser 
> | context.
> 
> What other suggestions there were? 

There was more discomfort with the word "request" than advocacy of a different
work.  Hopefully, someone will offer some other suggestions.  I think participation
is a good wordf for the broader concept.

Jim

-- 
Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org




More information about the Zope3-dev mailing list