incubator-projects mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Luciano Resende" <luckbr1...@gmail.com>
Subject Re: high level design from wiki
Date Tue, 22 Jul 2008 05:34:42 GMT
My only concern with requiring LDAP is the necessary configuration
steps just to get some simple standalone gallery working. But looks
like we are considering this as a "second phase" feature, so we have
enough time to play.

On Mon, Jul 21, 2008 at 10:09 PM, Roland Weber <ossfwot@dubioso.net> wrote:
> Hi Angie,
>
>> This is what I had always envisioned when stating "user management".
>>  Possibly a poor choice of words but the closest thing I could come up with
>> to what I thought needed implemented.  Perhaps we should start calling it
>> "friend management" instead.
>
> Fine with me :-)
>
>>> When somebody tries to integrate the photo gallery
>>> with some existing "Web 2.0" infrastructure, then
>>> there will already be a user management system.
>>> Having our own instead of interfacing with a
>>> standard LDAP won't help then.
>>
>> Could we eventually just make "friend management" pluggable?
>
> For the time being, I consider the friend management
> a separate component that is responsible for handling
> invitations and acceptance of those. Once friendship
> is established between two users, that relationship is
> stored in the user management component or user repository,
> however you'd like to call it. I'm suggesting to use LDAP
> for the user repository, not for the friend management.
> So yes, I believe that friend management is pluggable.
>

+1 to consider the friend management a separate and plugable module.
We could also check on what is available (e.g Opensocial
implementation from Apache Shindig).

>> Would that be easier than even going the LDAP route?
>
> See above. If you keep the users and established friendship
> relationships (groups) in the LDAP, you can use that for
> authentication, and you have a place where the access manager
> gets the required information from. Keeping users and groups
> in different repositories doesn't sound good to me.
> Using anything but LDAP to keep users means that people have
> to implement authentication code for every web container but
> the one(s) we choose to support out of the box.
> I know how to configure WebSphere to authenticate against
> almost any LDAP, but I'd have to write code to authenticate
> against a database with a custom layout. I didn't check
> what options Geronimo, JBoss or WebLogic provide. Maybe
> somebody else can add authentication details about those?
> I don't want to make a case for "just because of WebSphere".
>
> Tomcat definitely supports authentication against a database
> with quite some flexibility about the DB layout. But it
> handles LDAP, DB, and JAAS mutually exclusively. So in order
> to have a JAAS login with authentication against LDAP, we'll
> need a JAAS login module that authenticates against LDAP.*
> Still, it's better to write one JAAS login module than to
> write a new authentication plugin for every web container.
>
> cheers,
>  Roland
>
>
> *) Java 6 comes with JAAS login modules that authenticate
> against LDAP or JNDI somewhere in the SUN-specific classes.
> But the principals they instantiate are also SUN-specific
> classes. The JavaDocs for JndiLoginModule indicate that
> the module handles password hashing itself with only one
> supported hash algorithm, so it is of limited usefuleness.
> http://java.sun.com/javase/6/docs/jre/api/security/jaas/spec/index.html
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: projects-unsubscribe@incubator.apache.org
> For additional commands, e-mail: projects-help@incubator.apache.org
>
>



-- 
Luciano Resende
http://people.apache.org/~lresende
http://lresende.blogspot.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: projects-unsubscribe@incubator.apache.org
For additional commands, e-mail: projects-help@incubator.apache.org


Mime
View raw message