commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ross Gardler <r...@wkwyw.net>
Subject Re: JJar via authenticating proxy
Date Mon, 03 Jun 2002 12:32:16 GMT


Geir Magnusson Jr. wrote:

> On 6/3/02 7:22 AM, "Ross Gardler" <ross@wkwyw.net> wrote:
> 
> 
>>(copied back to jakarta-commons in case anywone there has a better idea)
>>
>>
> 
> I assume that you didn't guess I sent it privately for a reason?


Ooops, sorry.


>  
> I didn't want there to be any expectation of delivery, as I have an awful
> track record lately on this...


Well I am more than willing to help with the coding of this section.

 >> 1. Put the username and password in the ANT build file and pass them 
 >> to the JJAR test
 >>
 >> 2. Have ant ask for the username and password interactively and pass the
 >> values to the JJAR task
 >>
 >> 3. Define our own System propoerties to hold the username and passsword
 >> and have JJAR extract them from there

>>
>>1 & 3 have a problem in that we either have to force the user to encode
>>the values before setting them or we create a security problem by
>>storing them unencoded.
>>
> 
> Well, uuencoding doesn't make anything secret, just gibberish at first
> glance.  And since we would be sending what is effectively cleartext
> anyway...


A good point.


>>2 is perhaps the best. We could set a property in the build file
>>indicating whether we are connecting through an authenticating proxy or
>>not, thus prompting the user for username and password. Furthermore,
>>using this method we allow the user to decide if they want to store the
>>username/password in the build file and thus prevent the need to type
>>them each time.
>>
>>What do you think?
>>
>>
> 
> The problem with 2 is that it doesn't work for anything automated - for
> example a build system that is run automatically for testing would need to
> have the values somewhere.
> 
> I think what we need is to give people the choice - one option to specify
> the values like #1, and one for #2, so if you want to keep it secret and do
> interactively, you can.
> 
> Since we are talking about a security system that does everything in
> cleartext, doing something fancier doesn't make sense at first.


I agree. If you want assistance just let me what you have got so far and 
  I'll do the rest.

Ross




--
To unsubscribe, e-mail:   <mailto:commons-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:commons-dev-help@jakarta.apache.org>


Mime
View raw message