Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 99282 invoked from network); 18 Aug 2005 22:36:09 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 18 Aug 2005 22:36:09 -0000 Received: (qmail 82665 invoked by uid 500); 18 Aug 2005 22:35:58 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 82617 invoked by uid 500); 18 Aug 2005 22:35:57 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 82604 invoked by uid 99); 18 Aug 2005 22:35:57 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=SPF_FAIL X-Spam-Check-By: apache.org Received: from [192.87.106.226] (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Aug 2005 15:35:56 -0700 Received: from ajax.apache.org (ajax.apache.org [127.0.0.1]) by ajax.apache.org (Postfix) with ESMTP id 212E7E4 for ; Fri, 19 Aug 2005 00:35:54 +0200 (CEST) Message-ID: <2011099653.1124404554100.JavaMail.jira@ajax.apache.org> Date: Fri, 19 Aug 2005 00:35:54 +0200 (CEST) From: "Aaron Mulder (JIRA)" To: dev@geronimo.apache.org Subject: [jira] Updated: (GERONIMO-409) SQLSecurityRealm/SQLLoginModule needs overhaul In-Reply-To: <1967368065.1099239512086.JavaMail.apache@nagoya> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N [ http://issues.apache.org/jira/browse/GERONIMO-409?page=all ] Aaron Mulder updated GERONIMO-409: ---------------------------------- Fix Version: 1.0-M5 Description: The SQLSecurityRealm and SQLLoginModule do not scale. In particular, they load all users and all groups in the security realm once when the realm is started, and again for every login request. Imagine a database of thousands of users/groups. There should instead be required SQL queries to load a single password given a username, and to load a list of groups for a single user given a username. Then there can be optional SQL queries to load a list of all users or to load a list of all groups, though we still shouldn't care who the group members are. Also, it appears that the digesting features provided by SQLSecurityRealmPasswordDigested are never invoked, so that class has no effect. It seems like the best way to implement digesting would be to make the basic SQLLoginModule take a digest algorithm argument. If present, the SQLLoginModule could instantiate and use a digester on the incoming password (and if not, not). Then we don't need any extra class for it, and you could enable digesting simply by adding a login module configuration option. was: The SQLSecurityRealm and SQLLoginModule do not scale. In particular, they load all users and all groups in the security realm once when the realm is started, and again for every login request. Imagine a database of thousands of users/groups. There should instead be required SQL queries to load a single password given a username, and to load a list of groups for a single user given a username. Then there can be optional SQL queries to load a list of all users or to load a list of all groups, though we still shouldn't care who the group members are. Also, it appears that the digesting features provided by SQLSecurityRealmPasswordDigested are never invoked, so that class has no effect. It seems like the best way to implement digesting would be to make the basic SQLLoginModule take a digest algorithm argument. If present, the SQLLoginModule could instantiate and use a digester on the incoming password (and if not, not). Then we don't need any extra class for it, and you could enable digesting simply by adding a login module configuration option. Environment: Assign To: (was: Alan Cabrera) Priority: Critical (was: Major) > SQLSecurityRealm/SQLLoginModule needs overhaul > ---------------------------------------------- > > Key: GERONIMO-409 > URL: http://issues.apache.org/jira/browse/GERONIMO-409 > Project: Geronimo > Type: Bug > Components: security > Versions: 1.0-M2 > Reporter: Aaron Mulder > Priority: Critical > Fix For: 1.0-M5 > > The SQLSecurityRealm and SQLLoginModule do not scale. In particular, they load all users and all groups in the security realm once when the realm is started, and again for every login request. Imagine a database of thousands of users/groups. > There should instead be required SQL queries to load a single password given a username, and to load a list of groups for a single user given a username. Then there can be optional SQL queries to load a list of all users or to load a list of all groups, though we still shouldn't care who the group members are. > Also, it appears that the digesting features provided by SQLSecurityRealmPasswordDigested are never invoked, so that class has no effect. It seems like the best way to implement digesting would be to make the basic SQLLoginModule take a digest algorithm argument. If present, the SQLLoginModule could instantiate and use a digester on the incoming password (and if not, not). Then we don't need any extra class for it, and you could enable digesting simply by adding a login module configuration option. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira