jasig-ssp IRC Logs-2013-01-23
- Apereo Infrastructure
[08:23:56 CST(-0600)] <TonyUnicon> good morning Patty, did you schedule the meeting for today? I didn't get anything
[08:25:11 CST(-0600)] <Patty_> on the list of to-dos for this morning
[08:25:16 CST(-0600)] <Patty_> I will send here in a bit
[09:35:49 CST(-0600)] <TonyUnicon> good morning Dan, I have a question about the security stuff
[09:36:03 CST(-0600)] <TonyUnicon> for unauthenticated mode
[09:36:17 CST(-0600)] <dmccallum54> k
[09:36:19 CST(-0600)] <TonyUnicon> how do we allow these requests when a user is not signed in
[09:36:28 CST(-0600)] <TonyUnicon> is it possible?
[09:37:01 CST(-0600)] <dmccallum54> i think so. one sec.
[09:44:58 CST(-0600)] <TonyUnicon> also, what is the mvn goal to minify javascript? it does not seem to do it on install
[09:46:44 CST(-0600)] <dmccallum54> ok… security… there are a few different url spaces for mygps right… there's the fragment space (owned by the portal), there's the api space, and there's the portal-independent UI space
[09:48:07 CST(-0600)] <dmccallum54> for the fragment space, you're never going to be accessing that anonymously, right? you'd only be going that route if you've decided you need to authenticate and the portal needs somewhere to redirect you. so we might not need to do anything special there
[09:49:55 CST(-0600)] <dmccallum54> for the API space… i dont see any special interceptors configured for that space… which means security should depend entirely on method-level annotations. so i think we'd just need to go through those and figure out which ones can/should be accessible anonymously
[09:51:25 CST(-0600)] <dmccallum54> for those that can be accessed anonymously, i think the annotation would be a spring EL expression that allows either authenticated or anonymous users… i'd just have to experiment to figure out exactly what works
[09:53:15 CST(-0600)] <dmccallum54> if GPS needs to access other, existing SSP API URLs which have already been locked down and dont allow anonymous access then we probably need to double check with russ on whether we can just throw those APIs open or if we need to concoct a GPS-only flavor of those APIs that only expose the "non-sensitive bits"
[09:55:19 CST(-0600)] <dmccallum54> another approach would be to actually grant permissions to the anonymous user. that way we dont have any "special cases" in our security annotations and you can manage access for the anonymous user just like you would for any other user
[09:56:43 CST(-0600)] <dmccallum54> i think that's actually a more desirable solution, but would require a certain amount of research to determine if there's a coherent way to manage permissions for the anonymous user if we're not always accessing GPS "through" the portal
[09:58:50 CST(-0600)] <dmccallum54> then there's the application UI space… i think you said GPS actually depends on publicly visible *.jsp resources… I don't see anything protecting those resources in security-config.xml… and I'm guessing the jsp's themselves could just be wide-open if they're really just shells that call back to APIs for all their data
[09:59:14 CST(-0600)] <dmccallum54> let me know if any of that actually answered your questions
[10:03:13 CST(-0600)] <dmccallum54> for javascript minification… i was actually just thinking about mvn integration on the drive in today...
[10:03:34 CST(-0600)] <dmccallum54> right now i'm just running the sencha build tool by hand
[10:03:40 CST(-0600)] <dmccallum54> i can send an email on how to do that
[10:04:13 CST(-0600)] <dmccallum54> but i think we do need to convert that to a mvn-executed plugin and get the minified files out of source control
[10:12:27 CST(-0600)] <TonyUnicon> thanks, I'll have to look into where MyGPS uses SSP api calls, I don't know off hand
[10:12:38 CST(-0600)] <TonyUnicon> the sencha goal would be useful
[10:12:45 CST(-0600)] <dmccallum54> indeed
[10:12:59 CST(-0600)] <TonyUnicon> this may explain my difficulties
[10:13:00 CST(-0600)] <dmccallum54> people, including me, keep forgetting to check in the minified js
[10:13:25 CST(-0600)] <TonyUnicon> when you were doing your ExtJs development
[10:13:40 CST(-0600)] <TonyUnicon> you obviously did this through import the app.js
[10:13:49 CST(-0600)] <dmccallum54> yes
[10:14:00 CST(-0600)] <TonyUnicon> so in otherwords
[10:14:07 CST(-0600)] <TonyUnicon> any file referenced in the
[10:14:17 CST(-0600)] <TonyUnicon> ssp.gb3 file
[10:14:29 CST(-0600)] <TonyUnicon> gets rolled up into app-all.js and app.js ?
[10:15:02 CST(-0600)] <dmccallum54> app-all.js and all-classes.js
[10:15:13 CST(-0600)] <TonyUnicon> ok
[10:15:20 CST(-0600)] <TonyUnicon> so if app.js is my entry point
[10:15:27 CST(-0600)] <dmccallum54> for dev yes
[10:15:31 CST(-0600)] <TonyUnicon> modifying the normal javascript files
[10:15:38 CST(-0600)] <TonyUnicon> I dont need to run the sencha goal?
[10:15:41 CST(-0600)] <dmccallum54> nope
[10:15:47 CST(-0600)] <TonyUnicon> ok
[10:16:12 CST(-0600)] <dmccallum54> i usually just flip ssp-main.jsp over to use app.js, hack on my other js files in source, and cp them into a running tomcat to see my changes
[10:16:28 CST(-0600)] <TonyUnicon> ok
[10:18:12 CST(-0600)] <TonyUnicon> does ssp.gb3 play any roll at runtime?
[10:18:24 CST(-0600)] <TonyUnicon> or is it for packaging?
[10:18:26 CST(-0600)] <TonyUnicon> only
[10:18:32 CST(-0600)] <dmccallum54> i dont know for sure, but i dont think it serves a runtime function
[10:18:48 CST(-0600)] <TonyUnicon> ok
[10:36:28 CST(-0600)] <dmccallum54> js70 what's up with the 'unicon-coop-dev' label on SSP-586?
[10:37:58 CST(-0600)] <js70> Thats not correct. I've just been putting that label on all the stuff i'm working on.
[10:38:18 CST(-0600)] <dmccallum54> k. i'm removing it
[10:38:21 CST(-0600)] <js70> I assumed that its a way for us to indicate our contribution
[10:38:25 CST(-0600)] <js70> np
[10:38:33 CST(-0600)] <dmccallum54> nah
[10:38:41 CST(-0600)] <js70> any guidance on that would be awewsom
[10:38:43 CST(-0600)] <dmccallum54> your time is not being billed to coop
[10:38:55 CST(-0600)] <dmccallum54> (unless i'm mistaken)
[10:39:15 CST(-0600)] <dmccallum54> Patty_ none of Jim or Tony's dev time is coop, correct?
[10:39:33 CST(-0600)] <js70> so no labels for our assignments.
[10:39:40 CST(-0600)] <TonyUnicon> coop?
[10:39:59 CST(-0600)] <dmccallum54> if you want to cook up labels to help you keep track of what you're doing, that's just fine
[10:40:09 CST(-0600)] <dmccallum54> but coop dev is this special thing that clients pay for
[10:40:35 CST(-0600)] <TonyUnicon> Patty did mention that we are billing the project by the hour
[10:40:50 CST(-0600)] <dmccallum54> oh yes
[10:40:53 CST(-0600)] <dmccallum54> but not to coop
[10:43:48 CST(-0600)] <js70> Thats fine. I don't need a label. Just wanted to make sure unicon had some visiblity on SSP. I will take them off (they are on most of mine)
[10:44:09 CST(-0600)] <dmccallum54> oh we're keeping tabs on you. oh yes 
[10:44:27 CST(-0600)] <dmccallum54> the problem is that charise is going to see those and freak out
[10:44:37 CST(-0600)] <dmccallum54> b/c she doesn't actually have coop staff working on those tickets
[10:44:38 CST(-0600)] <js70> got it.
[10:44:51 CST(-0600)] <dmccallum54> thx
[10:45:23 CST(-0600)] <js70> perfect. I hate to ask about every little detail...but the old assume ass-u-me does seem to hold true in most cases.
[10:45:34 CST(-0600)] <js70> As a heads up, I am not finding documentation for Distance Learning reports.
[10:45:59 CST(-0600)] <dmccallum54> no worries at all. would rather you just do what you think you need to do to stay organized and make progress. i dont need to be a bottleneck
[10:46:24 CST(-0600)] <js70> np. Will send an email off to Russ about the Distance Learning reports.
[10:46:29 CST(-0600)] <dmccallum54> sounds good
[10:46:36 CST(-0600)] <dmccallum54> how about to ssp-dev
[10:46:43 CST(-0600)] <js70> right.
[10:46:45 CST(-0600)] <dmccallum54> k
[10:57:45 CST(-0600)] <js70> Quick discusion on N+1, So I have created 4 methods that bring back a List of EntityStudentCountByCoachTOs through the entity daos. I then need to cycle through them to consolidate by coach (so 4 calls for all coaches). This should be pretty fast but wondering if its worth doing more like what you did and make a monster entity that is a single call.
[10:58:18 CST(-0600)] <js70> I mean just 4 dao calls to get all coaches.
[10:58:29 CST(-0600)] <js70> take it to 1 call.
[11:03:15 CST(-0600)] <dmccallum54> jim
[11:03:29 CST(-0600)] <dmccallum54> js70 as long as the # of calls is bounded, i'm just fine with it
[11:03:40 CST(-0600)] <dmccallum54> well, bounded and not, like, 300
[11:04:02 CST(-0600)] <js70> yeah its gone from n*8 to 4 calls
[11:04:09 CST(-0600)] <dmccallum54> let's move on!
[11:04:34 CST(-0600)] <js70> perfect. I'll test and check it in.
[11:06:24 CST(-0600)] <dmccallum54> awesome
[11:07:17 CST(-0600)] <js70> so about check in. As long as we mark it with SSP-tag thats all you need for handling githup releases correct? Or is there a way to tag it to the jira ticket. (You mentioned yesterday that you want to be able to do an update for just this issue.)
[11:07:49 CST(-0600)] <dmccallum54> just prefix the first line of your commit log with the jira ticket ID
[11:07:57 CST(-0600)] <dmccallum54> SSP-XXX Fixed N+1
[11:08:16 CST(-0600)] <dmccallum54> or, rather, to be properly gitish… SSP-XXX Fix N+1
[11:10:12 CST(-0600)] <dmccallum54> js70 i'm still scrambling to prep for some calls this morning… can we wait to this afternoon to chat about SSP-593?
[11:15:45 CST(-0600)] <js70> np
[11:31:53 CST(-0600)] <Patty_> tony
[11:31:57 CST(-0600)] <Patty_> are you joining the scrum?
[13:11:45 CST(-0600)] <TonyUnicon> Dan I think this is an obvious question but I think I'll ask anyway
[13:11:55 CST(-0600)] <TonyUnicon> api urls
[13:12:19 CST(-0600)] <TonyUnicon> for example
[13:12:19 CST(-0600)] <TonyUnicon> person/ /earlyAlert/ /response
[13:12:36 CST(-0600)] <TonyUnicon> the id placeholders
[13:12:39 CST(-0600)] <TonyUnicon> like
[13:12:55 CST(-0600)] <TonyUnicon> is only necessary if that context is required for the call
[13:13:05 CST(-0600)] <TonyUnicon> correct?
[15:08:14 CST(-0600)] <Patty_> jim
[15:08:18 CST(-0600)] <Patty_> are you joining this call