[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [equinox-dev] authentication vs authorization

Hi Neil,

Neil Bartlett wrote:

<stuff deleted>

The problem is that there is a wide and multifarious range of
scenarios that need to be supported. For example:

<stuff deleted>

You are of course correct about the need to support many use cases. But I feel that's frequently true for platform security...it's something different for nearly everyone.

I think there needs to be a dialog between the Equinox security group
and those of us who are trying to write secure RCP apps. For my needs
in particular, bundle signing and Java permissions are irrelevant
(although Sword4J is very cool). It's not the code I don't trust, it's
the users!

True...and for several of my use cases (storing/accessing user information about accounts/credentials) it's also about the (authenticated) users rather than trusting/restricting the bundles. I know these are not independent, of course. But if there's not some way to satisfy these use sorts of relatively simple security use cases (that depend upon authentication but perhaps not on authorization) I think many RCP developers would be prevented from building their applications with 3.2.