From dev-return-12644-apmail-directory-dev-archive=directory.apache.org@directory.apache.org Tue Jul 25 10:32:38 2006 Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 37633 invoked from network); 25 Jul 2006 10:32:37 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 25 Jul 2006 10:32:37 -0000 Received: (qmail 50937 invoked by uid 500); 25 Jul 2006 10:32:37 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 50712 invoked by uid 500); 25 Jul 2006 10:32:36 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 50685 invoked by uid 99); 25 Jul 2006 10:32:36 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 25 Jul 2006 03:32:36 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of j.henne@levigo.de designates 62.206.214.5 as permitted sender) Received: from [62.206.214.5] (HELO mail.levigo.de) (62.206.214.5) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 25 Jul 2006 03:32:34 -0700 Received: from ASSP-nospam (mail.levigo.de [127.0.0.1]) by mail.levigo.de (Postfix) with ESMTP id 5AFDD7E6C for ; Tue, 25 Jul 2006 12:32:12 +0200 (CEST) Received: from 10.208.3.42 ([10.208.3.42] helo=[10.208.3.42]) by ASSP-nospam ; 25 Jul 06 10:32:12 -0000 Message-ID: <44C5F32C.7060906@levigo.de> Date: Tue, 25 Jul 2006 12:32:12 +0200 From: =?ISO-8859-15?Q?J=F6rg_Henne?= User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: Apache Directory Developers List Subject: Authentication and JBoss SAR Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Brightmail-Tracker: AAAAAA== X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Hi all, especially with respect to the JBoss SAR, but also in conjunction with other kinds of deployment, I think it is rather unfortunate to require the super-user password to be supplied in the startup configuration. With the SAR, one needs to tweak the jboss-service.xml file, living inside the SAR archive, after the super-user password has been changed. To make the pains even worse, I have several other services running on JBoss which also depend on the directory. In order to enable authorization of remote accesses to the directory without reverting to a default, non-user-configurable super-user password, I have to unpack the SAR, update the service configuration to include the updated password and re-pack the SAR for all services during installation. To fix this problem, IMHO there should be the option to let all in-VM accesses by-pass authentication and authorization. In fact, I think this should be the default way of operation, as cases, where in-VM authorization is required, could be covered by using the standard SecurityManager to force non-trusted accesses to use the non-local interface. This problem may be addressed already by the switch away from JNDI for internal accesses. But while we're not there, I wonder whether there is a work-around to get rid of the in-VM authentication requirement. Oh, and while I'm already ranting... I wonder whether it is really desirable to have a single hard-coded, catch-all super-user instead of installing a few ACIs. WDYT? Thanks Joerg Henne