I like this more and more.
-David
On Jan 14, 2006, at 6:12 AM, Trygve Laugstøl wrote:
On Wed, 2006-01-11 at 19:13 +0100, Emmanuel Venisse wrote:
Hi,
In 1.1, we have decided to rework all security features.
I haven't looked at osuser in particular yet, but I still think it
might
work for us.
Anyway I'm suggesting the following strategy:
1) Make a set of Continuum-specific interfaces:
* ContinuumAuthentication
has a login( username, password ) and a logout() method
* ContinuumAuthorization
canExecute( authenticationToken, protectedResourceId )
* ContinuumUserManager
User and Group object CRUD methods,
addUserToGroup() and the likes.
2) Make a LDAP implementation of these interfaces and include Apache
Directory in Continuum as the default database or write a Derby-
specific
implementation as that's what we're already shipping with.
The advantage by including Directory is that we have one less
implementation to write and it's easier to migrate to a proper LDAP
database as you can connect to the Directory service and dump the
existing database. The disadvantage is the increased size of the
Continuum binary distribution. I'm currently not sure how big the
Directory server is in terms of bytes. The binary ApacheDS distro
[1] is
10MB but I really doubt all of that is required.
It shouldn't be really hard to write a Derby implementation and it
will
probably be the fastest implementation.
By following this strategy we isolate Continuum from the
implementation
as the interfaces are Continuum-oriented and should be pretty stable
from day one, and we can add JAAS implementations later on. By
having a
standalone (Derby), LDAP and JAAS implementation I think that we've
covered all possible integration points. I'd guess that 90% of all
people wanting authenticate with an external system would use LDAP
anyway.
Thoughts?
[1]: http://cvs.apache.org/dist/directory/apacheds/
--
Trygve
