directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrique Rodriguez" <enriqu...@gmail.com>
Subject Re: Kerberos implementation questions
Date Mon, 09 Jul 2007 20:25:11 GMT
On 7/2/07, Emmanuel Lecharny <elecharny@gmail.com> wrote:
> On 7/2/07, Enrique Rodriguez <enriquer9@gmail.com> wrote:
> > On 7/1/07, Emmanuel Lecharny <elecharny@gmail.com> wrote:
> > > Hi,
> > >
> > > I have some questions regarding the kerberos implementation :
> > >
> > > 1) We have a TicketModifier class. Is it really usefull ?
> >
> > The Ticket has no attribute setters, so the intention is that you use
> > the modifier to create immutable Ticket's.
>
> Do we need to create immutable Tickets ? We just produce Tickets in
> the server, then send them to the client. What's the point to have
> Immutable Tickets ? I may miss something ...

I think it is good programming practice, both for security
implications and for the resulting API, even if it is internal to
ApacheDS on the server-side.  You can web search on "security
immutable" or here is a direct reference from Sun:

http://java.sun.com/security/seccodeguide.html#gcg6

> ...
> Ok, I gonna have a look at it. From the client side, we obviously must
> work with Sun classes, but from server side, having our own classes
> will help a lot (debug, logs, etc.). It can be done step by step, but
> first we need to build integration tests to be sure that moving from
> Sun to our own classes don't break everything.
>
> This is what I find difficult atm : changing the code is risky,
> because of the lack of tests.
> ...

I have integration tests I would like to add to server-unit.  But it
requires adding a dep for kerberos-clients to server-unit, since the
tests use the new client.  If this is acceptable, I will add the dep
and commit a new test class.

This dep will also set us up for a new SASL GSSAPI bind integration
test and some tests for Change Password, as well.

Enrique

Mime
View raw message