Return-Path: Delivered-To: apmail-maven-continuum-dev-archive@www.apache.org Received: (qmail 84147 invoked from network); 17 Jan 2006 22:10:24 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 17 Jan 2006 22:10:24 -0000 Received: (qmail 60662 invoked by uid 500); 17 Jan 2006 22:09:44 -0000 Delivered-To: apmail-maven-continuum-dev-archive@maven.apache.org Received: (qmail 59920 invoked by uid 500); 17 Jan 2006 22:09:39 -0000 Mailing-List: contact continuum-dev-help@maven.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: continuum-dev@maven.apache.org Delivered-To: mailing list continuum-dev@maven.apache.org Received: (qmail 58351 invoked by uid 99); 17 Jan 2006 22:09:31 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 Jan 2006 14:09:31 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of david.blevins@visi.com designates 208.42.156.2 as permitted sender) Received: from [208.42.156.2] (HELO conn.mc.mpls.visi.com) (208.42.156.2) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 Jan 2006 14:07:43 -0800 Received: from [192.168.42.19] (68-171-56-105.vnnyca.adelphia.net [68.171.56.105]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by conn.mc.mpls.visi.com (Postfix) with ESMTP id 54DD6810B for ; Tue, 17 Jan 2006 16:07:20 -0600 (CST) Mime-Version: 1.0 (Apple Message framework v746.2) In-Reply-To: <1137247929.20946.19.camel@echidna> References: <43C54AB8.7050606@venisse.net> <1137247929.20946.19.camel@echidna> Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: quoted-printable From: David Blevins Subject: Re: Security in Continuum Date: Tue, 17 Jan 2006 14:07:19 -0800 To: continuum-dev@maven.apache.org X-Mailer: Apple Mail (2.746.2) X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N I like this more and more. -David On Jan 14, 2006, at 6:12 AM, Trygve Laugst=F8l wrote: > On Wed, 2006-01-11 at 19:13 +0100, Emmanuel Venisse wrote: >> Hi, >> >> In 1.1, we have decided to rework all security features. > > I haven't looked at osuser in particular yet, but I still think it =20 > might > work for us. > > Anyway I'm suggesting the following strategy: > > 1) Make a set of Continuum-specific interfaces: > > * ContinuumAuthentication > has a login( username, password ) and a logout() method > > * ContinuumAuthorization > canExecute( authenticationToken, protectedResourceId ) > > * ContinuumUserManager > User and Group object CRUD methods, > addUserToGroup() and the likes. > > 2) Make a LDAP implementation of these interfaces and include Apache > Directory in Continuum as the default database or write a Derby-=20 > specific > implementation as that's what we're already shipping with. > > The advantage by including Directory is that we have one less > implementation to write and it's easier to migrate to a proper LDAP > database as you can connect to the Directory service and dump the > existing database. The disadvantage is the increased size of the > Continuum binary distribution. I'm currently not sure how big the > Directory server is in terms of bytes. The binary ApacheDS distro=20 > [1] is > 10MB but I really doubt all of that is required. > > It shouldn't be really hard to write a Derby implementation and it =20 > will > probably be the fastest implementation. > > By following this strategy we isolate Continuum from the =20 > implementation > as the interfaces are Continuum-oriented and should be pretty stable > from day one, and we can add JAAS implementations later on. By =20 > having a > standalone (Derby), LDAP and JAAS implementation I think that we've > covered all possible integration points. I'd guess that 90% of all > people wanting authenticate with an external system would use LDAP > anyway. > > Thoughts? > > [1]: http://cvs.apache.org/dist/directory/apacheds/ > > -- > Trygve >