Sunday, August 19, 2007
ECM Security: Nuxeo
I previously provided commentary on both Documentum and Alfresco regarding how well they implement enterprise security considerations. Today, I will share my thoughts on Nuxeo...
Reading code for domains and products you don't work with on a daily basis is very challenging. I suspect that I will take some dings in terms of false assumptions and will be truly appreciative of those who can provide alternative perspectives of what my interpretation states.
The first general observation is that it seems to do a better job of adhering to the core J2EE patterns than Alfresco and has a more flexible longer-term design. The notion of a query seems like it was made to be extensible in that it could support both NXQL, XPATH or whatever else happens to come down the path. I like the fact that you are not locked into a specific query language such as DQL.
Nuxeo seems to leverage other parts of the J2EE specification such as support for transactions. The ability to participate in transactions that are started outside of the ECM platform by a BPM engine and ensure transactional consistency is something that I haven't seen in Stellent, Alfresco or Documentum.
In terms of its security model, it also supports JSR-283 which defines Access Control Lists (ACL) and Access Control Entries (ACE) and normalizes the privelege model. The product doesn't store users which one up's Documentum and Alfresco as well which should make enterprise security folks happy to avoid duplication. Authentication leverages JAAS which means that if deployed on a J2EE Container such as BEA Weblogic, it would automatically have support for SAML 1.1. I guess the strategy of waiting for J2EE containers to provide security services instead of having to build them into the product is somewhat smart.
There is no out of the box support for XACML, but it seems well positioned to support. There is a notion of psuedo-ACL which are computed at runtime which can be extended. The security is stored on a document node using a mixin where one can also turn the accessControlPolicy implementation into the XACML PEP. Adding support for SPML feels like one has to simply implement org.nuxeo.ecm.platform.usermanager and configure it.
I like the fact that Nuxeo uses Maven which I would love to see other open source projects embrace. My only compliant that I have is how it interacts with directories. The notion of using a directory service to authenticate is problematic as it does assume that authentication uses the directory mechanisms and not either other forms of credentials such as information cards nor storing passwords in different locations as typically found in corporate implementations. I would also think that it would leverage more JNDI constructs.
Another feature I thought was interesting was the content transformation services where content transformation is built directly into the product and is not a separate SKU like Documentum or Stellent. Workflow seems as well to be thoughtful in that it can leverage third-party products in an integrated manner. It spells out usage with jBPM where as you are pretty much left on your own if you decide to use a workflow/BPM engine not provided by your ECM vendor.
In conclusion, I think this product is worthy of attention from Enterprise Architects in other Fortune enterprises. In fact, I think I may noodle for a little bit contributing security expertise to this project to help make it even stronger. Stay tuned...
| | View blog reactionsReading code for domains and products you don't work with on a daily basis is very challenging. I suspect that I will take some dings in terms of false assumptions and will be truly appreciative of those who can provide alternative perspectives of what my interpretation states.
The first general observation is that it seems to do a better job of adhering to the core J2EE patterns than Alfresco and has a more flexible longer-term design. The notion of a query seems like it was made to be extensible in that it could support both NXQL, XPATH or whatever else happens to come down the path. I like the fact that you are not locked into a specific query language such as DQL.
Nuxeo seems to leverage other parts of the J2EE specification such as support for transactions. The ability to participate in transactions that are started outside of the ECM platform by a BPM engine and ensure transactional consistency is something that I haven't seen in Stellent, Alfresco or Documentum.
In terms of its security model, it also supports JSR-283 which defines Access Control Lists (ACL) and Access Control Entries (ACE) and normalizes the privelege model. The product doesn't store users which one up's Documentum and Alfresco as well which should make enterprise security folks happy to avoid duplication. Authentication leverages JAAS which means that if deployed on a J2EE Container such as BEA Weblogic, it would automatically have support for SAML 1.1. I guess the strategy of waiting for J2EE containers to provide security services instead of having to build them into the product is somewhat smart.
There is no out of the box support for XACML, but it seems well positioned to support. There is a notion of psuedo-ACL which are computed at runtime which can be extended. The security is stored on a document node using a mixin where one can also turn the accessControlPolicy implementation into the XACML PEP. Adding support for SPML feels like one has to simply implement org.nuxeo.ecm.platform.usermanager and configure it.
I like the fact that Nuxeo uses Maven which I would love to see other open source projects embrace. My only compliant that I have is how it interacts with directories. The notion of using a directory service to authenticate is problematic as it does assume that authentication uses the directory mechanisms and not either other forms of credentials such as information cards nor storing passwords in different locations as typically found in corporate implementations. I would also think that it would leverage more JNDI constructs.
Another feature I thought was interesting was the content transformation services where content transformation is built directly into the product and is not a separate SKU like Documentum or Stellent. Workflow seems as well to be thoughtful in that it can leverage third-party products in an integrated manner. It spells out usage with jBPM where as you are pretty much left on your own if you decide to use a workflow/BPM engine not provided by your ECM vendor.
In conclusion, I think this product is worthy of attention from Enterprise Architects in other Fortune enterprises. In fact, I think I may noodle for a little bit contributing security expertise to this project to help make it even stronger. Stay tuned...
