continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Blevins <david.blev...@visi.com>
Subject Re: Security in Continuum
Date Tue, 17 Jan 2006 22:07:19 GMT
I like this more and more.

-David

On Jan 14, 2006, at 6:12 AM, Trygve Laugstøl wrote:

> On Wed, 2006-01-11 at 19:13 +0100, Emmanuel Venisse wrote:
>> Hi,
>>
>> In 1.1, we have decided to rework all security features.
>
> I haven't looked at osuser in particular yet, but I still think it  
> might
> work for us.
>
> Anyway I'm suggesting the following strategy:
>
> 1) Make a set of Continuum-specific interfaces:
>
>  * ContinuumAuthentication
>      has a login( username, password ) and a logout() method
>
>  * ContinuumAuthorization
>      canExecute( authenticationToken, protectedResourceId )
>
>  * ContinuumUserManager
>      User and Group object CRUD methods,
>      addUserToGroup() and the likes.
>
> 2) Make a LDAP implementation of these interfaces and include Apache
> Directory in Continuum as the default database or write a Derby- 
> specific
> implementation as that's what we're already shipping with.
>
> The advantage by including Directory is that we have one less
> implementation to write and it's easier to migrate to a proper LDAP
> database as you can connect to the Directory service and dump the
> existing database. The disadvantage is the increased size of the
> Continuum binary distribution. I'm currently not sure how big the
> Directory server is in terms of bytes. The binary ApacheDS distro 
> [1] is
> 10MB but I really doubt all of that is required.
>
> It shouldn't be really hard to write a Derby implementation and it  
> will
> probably be the fastest implementation.
>
> By following this strategy we isolate Continuum from the  
> implementation
> as the interfaces are Continuum-oriented and should be pretty stable
> from day one, and we can add JAAS implementations later on. By  
> having a
> standalone (Derby), LDAP and JAAS implementation I think that we've
> covered all possible integration points. I'd guess that 90% of all
> people wanting authenticate with an external system would use LDAP
> anyway.
>
> Thoughts?
>
> [1]: http://cvs.apache.org/dist/directory/apacheds/
>
> --
> Trygve
>


Mime
View raw message