[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [stellation-res] why doesn't stellationd require a "password" argument?
|
On Monday 22 July 2002 03:41 am, Jason Rimmer wrote:
> JAAS is nasty and complicated to integrate. Perhaps a simple
> authentication/authorization framework such as the one implemented in
> Jakarta's Turbine would be a decent start? It's not tightly coupled
> with Turbine (nor a web interface) and has a relational backend. Once
> that's working you could switcheroo it's implementation with the JAAS
> backend.
> You would certainly have a decent user authentication/authorization
> framework up quickly.
We already have a pretty decent authentication framework. I'd be
willing to support changes to the auth layer if they had a real
benefit. But I'm not willing to switch just for the sake of switching.
Our current authentication system supports pluggable authentication
modules, challenge authentications, etc. It's really pretty decent.
The main weakness of it, at the moment, is that we're not doing anything
clever to protect user passwords in the database - so protecting the
security of the database becomes important, and we're not doing a
great job of that yet. But that's not a huge deal to fix: the database
should be run in a protected mode, so that you need a password
to establish a database connection; the the password storage
should be changed to not use plaintext; and the encryption key
to decode the stored passwords should only be accessible
using an administators key. None of these are hard to do.
Switching to JAAS might make sense, because it's a standard
mechanism. If it could be done without adding a huge amount
of complexity to the system, I'd like to see it happen. On the
other hand, adding another non-standard dependency to the system
for an auth layer is something that we'd need to carefully consider:
what benefits does Turbine have over what we're using? If they're
significant, and much easier than JAAS, then great. If not, then
then I'd rather not.
Note that I'm not saying that Turbine doesn't have significant
advantages over what we have now. I really don't know: I haven't
looked at it. I wouldn't be too surprised if it does: Jakarta software
tends to be excellent.
-Mark
>
> On Mon, 2002-07-22 at 02:17, Ringo De Smet wrote:
> > --- Florin Iucha <florin@xxxxxxxxx> wrote:
> > > I think you should look into JAAS: it is part of the Java2 v1.4 so
> > > you get it for free. And probably works on windows.
> >
> > I second this. Apart from being a standard component for Java2 1.4, it
> > was a separate download for Java2 1.3 which makes it the best candidate
> > for authentication and authorization.
> >
> > JAAS has a number of authentication back-ends. The ones that are part
> > of the default distribution (according the docs):
> > - JNDI
> > - Unix Operating System (PAM?)
> > - Windows NT
> > - Kerberos
> > - Keystore
> >
> > Ringo
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Everything you'll ever need on one web page
> > from News and Sport to Email and Music Charts
> > http://uk.my.yahoo.com
> > _______________________________________________
> > stellation-res mailing list
> > stellation-res@xxxxxxxxxxxxxxx
> > http://dev.eclipse.org/mailman/listinfo/stellation-res
--
Mark Craig Chu-Carroll, IBM T.J. Watson Research Center
*** The Stellation project: Advanced SCM for Collaboration
*** http://www.eclipse.org/stellation
*** Work Email: mcc@xxxxxxxxxxxxxx ------- Personal Email: markcc@xxxxxxxxxxx
