On Wed, 2006-01-11 at 19:13 +0100, Emmanuel Venisse wrote: > Hi, > > In 1.1, we have decided to rework all security features.
I haven't looked at osuser in particular yet, but I still think it might work for us. Anyway I'm suggesting the following strategy: 1) Make a set of Continuum-specific interfaces: * ContinuumAuthentication has a login( username, password ) and a logout() method * ContinuumAuthorization canExecute( authenticationToken, protectedResourceId ) * ContinuumUserManager User and Group object CRUD methods, addUserToGroup() and the likes. 2) Make a LDAP implementation of these interfaces and include Apache Directory in Continuum as the default database or write a Derby-specific implementation as that's what we're already shipping with. The advantage by including Directory is that we have one less implementation to write and it's easier to migrate to a proper LDAP database as you can connect to the Directory service and dump the existing database. The disadvantage is the increased size of the Continuum binary distribution. I'm currently not sure how big the Directory server is in terms of bytes. The binary ApacheDS distro[1] is 10MB but I really doubt all of that is required. It shouldn't be really hard to write a Derby implementation and it will probably be the fastest implementation. By following this strategy we isolate Continuum from the implementation as the interfaces are Continuum-oriented and should be pretty stable from day one, and we can add JAAS implementations later on. By having a standalone (Derby), LDAP and JAAS implementation I think that we've covered all possible integration points. I'd guess that 90% of all people wanting authenticate with an external system would use LDAP anyway. Thoughts? [1]: http://cvs.apache.org/dist/directory/apacheds/ -- Trygve