Adam Megacz <[EMAIL PROTECTED]> writes: > I'm implementing an AFS-aware WebDAV server. I'm doing it in Java at > the moment simply because that's the shortest path to completion > (libjafs and existing Java webdav server code make it pretty easy).
> Three questions: > 1. Is there any way to create a "Process Authentication Thread" > similar to a PAG? (I strongly suspect not) A PAG is nothing more or less than a group membership, from the perspective of a user process. If threads can be in different groups, yes; otherwise, no. I don't know on your other questions. > I feel uncomfortable about requiring that the server run as a member of > system:anyuser. The best solution IMHO is to have the server use the > user's tokens (how those are obtained is another story). > The second-best solution is to have the server run with > system:administrator powers, but I'm reluctant to do that unless I know > that those tokens will only be used for file accesses I specifically > instruct them to be used for (I don't want normal calls to java.io.* to > get the benefit of these tokens -- too much other code in the JVM calls > this stuff). Yeah, this is a standard problem. Most sites work around it by creating a special identity for the web server and then giving that identity access to the directories that it needs to access explicitly. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
