There has been renewed activity in the OFBiz-LDAP area
(https://issues.apache.org/jira/browse/OFBIZ-811). That activity reminds me of some security-related
subjects I have mentioned before but haven't gone anywhere. So, I guess I'll use this as an
opportunity to bring them up again.
The org.ofbiz.security.Security abstract class and the <security-config> element in the security.xml
file seem to imply that OFBiz's security implementation is replaceable. But that can't work because
the Security abstract class does nothing more than check permissions. To have a real replaceable
security implementation, ALL user security operations should be accomodated in the abstract class -
including user login and security permission CRUD operations.
If the Security abstract class was expanded in this way, then the various security related services
would have to be re-written to route all CRUD and permissions-checking operations through the
abstract class implementation.
Such an implementation would pave the way for an LDAP version of org.ofbiz.security.Security that
would keep all user login security/permission data on the LDAP server.
What do you think?
-Adrian
