continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Trygve Laugstøl <tryg...@codehaus.org>
Subject Re: Security in Continuum
Date Sat, 14 Jan 2006 14:12:08 GMT
On Wed, 2006-01-11 at 19:13 +0100, Emmanuel Venisse wrote:
> Hi,
> 
> In 1.1, we have decided to rework all security features.

I haven't looked at osuser in particular yet, but I still think it might
work for us.

Anyway I'm suggesting the following strategy:

1) Make a set of Continuum-specific interfaces:

 * ContinuumAuthentication
     has a login( username, password ) and a logout() method

 * ContinuumAuthorization
     canExecute( authenticationToken, protectedResourceId )

 * ContinuumUserManager
     User and Group object CRUD methods,
     addUserToGroup() and the likes.

2) Make a LDAP implementation of these interfaces and include Apache
Directory in Continuum as the default database or write a Derby-specific
implementation as that's what we're already shipping with.

The advantage by including Directory is that we have one less
implementation to write and it's easier to migrate to a proper LDAP
database as you can connect to the Directory service and dump the
existing database. The disadvantage is the increased size of the
Continuum binary distribution. I'm currently not sure how big the
Directory server is in terms of bytes. The binary ApacheDS distro[1] is
10MB but I really doubt all of that is required.

It shouldn't be really hard to write a Derby implementation and it will
probably be the fastest implementation.

By following this strategy we isolate Continuum from the implementation
as the interfaces are Continuum-oriented and should be pretty stable
from day one, and we can add JAAS implementations later on. By having a
standalone (Derby), LDAP and JAAS implementation I think that we've
covered all possible integration points. I'd guess that 90% of all
people wanting authenticate with an external system would use LDAP
anyway.

Thoughts?

[1]: http://cvs.apache.org/dist/directory/apacheds/

--
Trygve


Mime
View raw message