Hi, I agree with the Rana's viewpoint from the previous letter. If any component depends upon specific implementation/functionality of User implementation, it's a configuration problem. FtpServer implementation in such a case must be configured to use an appropriate UserManager implementation and the component in question (FileSystemManager) should check the class of User and take an action if the User is not what it expected (fail fast). Dividing the credentials (as a term, not a class) into User and Credentials where they are used separately, depending on implementation and the state the request is at doesn't sound as a good idea to me.
In general, if the general opinion is that security implementation needs to be more standard/powerful/complex we should consider implementing JAAS or more modern frameworks. P.S. Chances are this email will not show up in the list bcs for some reason all emails from me to the list are going to the big hard drive in the sky. I'm working on a solution for this problem (sending emails to apache@ and infrastructure@) but that's the state things are right now. -- Anton
