geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vamsavardhana Reddy (JIRA)" <...@geronimo.apache.org>
Subject [jira] Updated: (GERONIMO-409) SQLSecurityRealm/SQLLoginModule needs overhaul
Date Wed, 26 Oct 2005 09:57:55 GMT
     [ http://issues.apache.org/jira/browse/GERONIMO-409?page=all ]

Vamsavardhana Reddy updated GERONIMO-409:
-----------------------------------------

    Attachment: sqlwithusernamepar.patch

sqlwithusernamepar.patch: The userSelect and groupSelect SQL statements can have a predicate
with the username parameter to be set in PreparedStatement at runtime.  All the parameters
in the statement will be set to the username.  For e.g., the userSelect and groupSelect can
now be an SQL like these given below:

SELECT USERNAME, PASSCODE FROM USERTABLE WHERE USERNAME=?
SELECT GROUPNAME, USERNAME FROM GROUPTABLE1 WHERE USERNAME=? UNION SELECT GRPNAME, USRNAME
FROM GRPTBL WHERE USRNAME=?

If there is more than one parameter marker in the SQL, all these will be set to the target
username.  This code will also work fine with the earlier userSelect and groupSelect SQLs
which did not use a paramater for target username.  In this case, the parameter count would
be 0 and no parameters are set in the prepared statement.

> SQLSecurityRealm/SQLLoginModule needs overhaul
> ----------------------------------------------
>
>          Key: GERONIMO-409
>          URL: http://issues.apache.org/jira/browse/GERONIMO-409
>      Project: Geronimo
>         Type: Bug
>   Components: security
>     Versions: 1.0-M2
>     Reporter: Aaron Mulder
>     Priority: Critical
>      Fix For: 1.0
>  Attachments: sqlwithusernamepar.patch
>
> The SQLSecurityRealm and SQLLoginModule do not scale.  In particular, they load all users
and all groups in the security realm once when the realm is started, and again for every login
request.  Imagine a database of thousands of users/groups.
> There should instead be required SQL queries to load a single password given a username,
and to load a list of groups for a single user given a username.  Then there can be optional
SQL queries to load a list of all users or to load a list of all groups, though we still shouldn't
care who the group members are.
> Also, it appears that the digesting features provided by SQLSecurityRealmPasswordDigested
are never invoked, so that class has no effect.  It seems like the best way to implement digesting
would be to make the basic SQLLoginModule take a digest algorithm argument.  If present, the
SQLLoginModule could instantiate and use a digester on the incoming password (and if not,
not).  Then we don't need any extra class for it, and you could enable digesting simply by
adding a login module configuration option.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message