directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jose Alberto Fernandez" <jalbe...@cellectivity.com>
Subject RE: [mina] Refactoring MINA IoFilterChain (Was: IoFilters: DIRMINA-121 / 122)
Date Tue, 15 Nov 2005 16:58:30 GMT
> From: Irving, Dave [mailto:dave.irving@logicacmg.com] 
> 
> Ok, I see. However, even in this hypothetical case: Wouldn't 
> you just configure SSL at the port level too (not acceptor level).
> Then there wouldn't be a problem.
> 
> Sorry for probing - Im just trying to establish whether there 
> is any real need for exposing the whole chain on a per 
> connection basis. If there is, it makes this change a fair 
> bit more complicated :o)
> 

Yes, for this specific example, you may be right. But lets assume some
other.
Lets assume I have a port level filter configuration consisting of:
threadFilter, 
kerberosFilter, codecFilter, and someFilterManager.

Now, as part as the protocol, the client may request TLS privacy once
authenticated.
So, on a particular session, the client requests privacy, which means
adding the SSLFilter
after threadFilter and activate it. Now I want this change only for this
session, not for all the sessions on this port. I cannot do SSL at the
end of the chain because I need to decode first.

This means I need to reconfigure the chain, just for this session. Now
the current solution requires my to setup the entire chain on a session
by session basis (which is really waistful as we all agree). If instead
you share the chain, and only do the cloning on demand (when SSL is
reqested by a session) then you can save on average.

And since you have only one chain (either shared or private) at any
given point in time, the implementation has to be simpler. I do not see
how it may become more complicated.

Jose Alberto


Mime
View raw message