Hi Martin, It sounds to me like the easiest solution would be to create a separate database (mysql, oracle, whatever) that does user authentication only, or you can use LDAP and not worry about a db. You can copy the data from your current app, duplicate the password hashing scheme in your code (or maybe even dehash and rehash using a standard, stronger hash), and then use this for you app. Then you can use the Hibernate security with no issues.
If this isn't an option for whatever reason, I vote for #2 ;) David -----Original Message----- From: Martin Stolz [mailto:[EMAIL PROTECTED] Sent: Wednesday June 9, 2004 6:11 AM To: Turbine Users List Subject: I need simple Access Control (Security) with Turbine without ACLīs or Roles, how to do? Hi all, i have been thinking about this for a while and now i will ask, i am not sure that i will be on the right way. I have a Oracle Database and a VERY simple System for User Management: - Eigther you are a User, or you are not. You cannot view anything when you are no User. - You can view everything, when you have a valid username/password - Passwords are hashed using self-employed (weak) String encryption (donīt blame me, i am NOT responsible for this) - The Table storing this information just has the Fields ID, username, Password and nothing else. - I donīt want to loose the Session Handling and User Objects associated with the RunData. - I can not create ANY tables or stuff in the Database Schema. It just stays like it is now. How would this translate into Turbine 2.3? I am not using Torque (at least i try not to use it) but Hibernate. I have been looking for a simple Solution and there are two ways, both of them have some Advantages and Disadvantages: 1) Implement my own Screen that checks for my simple Security and otherwise redirects to login page. I am not sure how i would preserve the session handling (eg. data.getUser().setTemp() is neccessary...) with this solution. Would it be enough to just override the UserManager? But it will not work without Torque, would it? Or is it ok to just set the User in the RunData? But i will have a implementation of User that will also have some methods not implemented. 2) Go for it and implement the SecurityService, ACL, UserManager and User-Objects for myself. (Un)fortunately, this means writing a real lot of Methods that throw RuntimeExceptions, because they are not implemented. Ok, they are never called, but this is not good style. The API is designed for a ACL-based Role System, i know. I only have one Role, a User. Eighter you are a User or you arent. But i cannot store even this role anywhere and just override the checkPassword() with my check. I dont want to create any new Tables. What should i do? Iīve tried finding information on this one, but i was not successful. Maybe i am the only one having this sort of problem...? One general remark: I know Turbine and Torque were married a while ago, now they are divorced, but good friends. Is it planned to remove the References of Criteria and other Torque Stuff from the ACL API and implementation? Maybe make this Part more general? Its just something i stumbled upon. Thank you very much for your answers. Best Regards, martin --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
