[08:23:56 CST(-0600)] <TonyUnicon> good morning Patty, did you schedule the meeting for today? I didn't get anything
[08:25:11 CST(-0600)] <Patty_> on the list of to-dos for this morning
[08:25:16 CST(-0600)] <Patty_> I will send here in a bit
[09:35:49 CST(-0600)] <TonyUnicon> good morning Dan, I have a question about the security stuff
[09:36:03 CST(-0600)] <TonyUnicon> for unauthenticated mode
[09:36:17 CST(-0600)] <dmccallum54> k
[09:36:19 CST(-0600)] <TonyUnicon> how do we allow these requests when a user is not signed in
[09:36:28 CST(-0600)] <TonyUnicon> is it possible?
[09:37:01 CST(-0600)] <dmccallum54> i think so. one sec.
[09:44:58 CST(-0600)] <TonyUnicon> also, what is the mvn goal to minify javascript? it does not seem to do it on install
[09:46:44 CST(-0600)] <dmccallum54> ok… security… there are a few different url spaces for mygps right… there's the fragment space (owned by the portal), there's the api space, and there's the portal-independent UI space
[09:48:07 CST(-0600)] <dmccallum54> for the fragment space, you're never going to be accessing that anonymously, right? you'd only be going that route if you've decided you need to authenticate and the portal needs somewhere to redirect you. so we might not need to do anything special there
[09:49:55 CST(-0600)] <dmccallum54> for the API space… i dont see any special interceptors configured for that space… which means security should depend entirely on method-level annotations. so i think we'd just need to go through those and figure out which ones can/should be accessible anonymously
[09:51:25 CST(-0600)] <dmccallum54> for those that can be accessed anonymously, i think the annotation would be a spring EL expression that allows either authenticated or anonymous users… i'd just have to experiment to figure out exactly what works
[09:53:15 CST(-0600)] <dmccallum54> if GPS needs to access other, existing SSP API URLs which have already been locked down and dont allow anonymous access then we probably need to double check with russ on whether we can just throw those APIs open or if we need to concoct a GPS-only flavor of those APIs that only expose the "non-sensitive bits"
[09:55:19 CST(-0600)] <dmccallum54> another approach would be to actually grant permissions to the anonymous user. that way we dont have any "special cases" in our security annotations and you can manage access for the anonymous user just like you would for any other user
[09:56:43 CST(-0600)] <dmccallum54> i think that's actually a more desirable solution, but would require a certain amount of research to determine if there's a coherent way to manage permissions for the anonymous user if we're not always accessing GPS "through" the portal
[09:58:50 CST(-0600)] <dmccallum54> then there's the application UI space… i think you said GPS actually depends on publicly visible *.jsp resources… I don't see anything protecting those resources in security-config.xml… and I'm guessing the jsp's themselves could just be wide-open if they're really just shells that call back to APIs for all their data
[09:59:14 CST(-0600)] <dmccallum54> let me know if any of that actually answered your questions
[10:03:13 CST(-0600)] <dmccallum54> for javascript minification… i was actually just thinking about mvn integration on the drive in today...
[10:03:34 CST(-0600)] <dmccallum54> right now i'm just running the sencha build tool by hand
[10:03:40 CST(-0600)] <dmccallum54> i can send an email on how to do that
[10:04:13 CST(-0600)] <dmccallum54> but i think we do need to convert that to a mvn-executed plugin and get the minified files out of source control