>> 1. We have marker(empty) interfaces for >> Authentication/AuthorizationRequest. Couldn't guess the reason why >> they are empty? > > Authentication serves as the interfaces passed to the UserManager, > since the actual implementation is up to the user manager, it does not > contain any methods. This might be a bit to generic (as been discussed > before on this list) since FTP almost always uses username/password or > anon. But, once we had a X509 based Authentication. > > AuthorizationRequest is pretty much the same thing, it's > implementations are only to be understood by the corresponding > Authority.
My concern here is, there is too much to be interpreted by a User/Implementor. >From a security implementation perspective, I understand these two things, Identity and Authority (Role). Now if we had imposed something like getAuthorities() in Authority interface would have made life easy. With a marker interface, not sure what do we achieve. > >> 2. Authority interface has functions, that pertain to Authorization. >> The interface should have the Role given to the User? > > Not sure I understand the question. Authority populates an > AuthorizationRequest which can give a user a role (or write > permission, or whatever is needed) if that's what we want (we do not > currently have roles, but the interfaces would certainly allow for > such an implementation). Ok the idea is, each user has some authority or Role, based on which Authorization happens. Something, like you pass Authority and Identity to the Authorization Manager and it shall decide whether to grant access or not. These interfaces allow for such an implementation, but its not so intuitive. I am keeping a close eye on JSecurity (in Incubation). Once its out, maybe we can use it within FtpServer. Will recommend having a look at Spring Security implementation. may be it shall bring us on the same page. > >> Have just finished an Authentication implementation using Spring >> Security and wanted to see how well it gels with FtpServer. >> >> The idea is to have authentication and authorization delegated to >> Spring Security infrastructure to have use >> load of features already built-in (including ADS support). > > Should be very much doable, feel free to get back with your results :-) I have the backend ready, just need to integrate with FtpServer code now. Shall share my results in ftpuser ML - ashish
