incubator-projects mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roland Weber <>
Subject user management - why bother?
Date Fri, 11 Jul 2008 11:28:21 GMT
Hi Angie, all,

The current Caitrin Proposal mentions user management:
 > The user management system will be based on JAAS. [...]

JAAS is not an API for user management. It is an API for
authentication (check passwords) and authorization. If you
want to provide a web service for accessing the gallery,
I assume that you have a servlet container (Tomcat) or
JEE environment (Geronimo). In that case, I would never
try to deal with user management myself, but always leave
that to the container. The container itself might use JAAS,
but that's not a concern of the application.
The authorization component of JAAS by default evaluates
static policy files. That's not something you would use
to manage list of friends.

It is reasonable to use an LDAP directory like the
Apache Directory Server to manage a group of friends
for every user. But permission checking should be left
to the backend if possible. I don't know what JCR offers
for that at the moment.
Managing the groups in the LDAP is a different problem,
I'm not sure whether you should try to handle that at
all as part of the photo gallery. Preferably not with
the first shot at least. Common APIs for accessing LDAP
are JNDI [1,2] and JLDAP [3].

To keep the workload manageable for the start, I recommend
to leave user management completely out of the scope.
Just assume a limited number of user groups, like
"everybody", "everybody logged in", "self". Maybe add
two or three tiers for fun, like "long-time users" and
"admins". The point here is that this can be handled by
a bunch of J2EE roles which anyone can map to groups in
the user repository. Once you have a group of friends
for every user, that is no longer possible. Of course,
that all depends on the access control mechanism that
Jackrabbit provides. I'm not familiar with that.

Btw, the Caitrin Proposal currently looks more like the
draft of a high-level architecture document rather than
a project proposal. I guess it will need a bit more work
to convince the Incubator folks.



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message