On Wednesday 21 November 2001 10:13, Mike Orr wrote: > On Wed, Nov 21, 2001 at 10:21:30AM -0800, Tavis Rudd wrote: > > > In the more general sense, you might want to have relations. A > > > person can "own" something, perhaps another person is the > > > "creator", or "manager", etc. I suppose that's what you were > > > thinking of as roles...? Ownership could just be another role. > > > > Yeah that's what I was thinking of (and wanting to avoid). Isn't > > this what Zope uses, or have I totally misunderstood it? > > The needs of small, simple sites are different than large, complex > sites. If we are attempting to have the same > authentication/permission system scale to both, we have to make > sure one doesn't get lost.
Remember, this discussion is about a UserManagement system that can be used for the various application ideas on the AppIdeas wiki page. Most of those would fall into the 'large, complex' category. We would really need to discuss the permissions system in the context of each of those applications. But as none of them exist let's focus on authentification for now. What are people using at the moment to do their authentification? Notes: * for authentification we only need to think in terms of users * I assume we are going to use sessions to store the authentification info. Here's a summary of the important questions: * At what stage in the request-response cycle does authentification take place (Adapter, Application, or Servlet)? Doing it at the Adapter level means we can use the same mechanism to protect content that isn't served via WebKit. Doing it at the Application level means that we can also protect static content that is served via WebKit. Doing it at the Servlet level means that we can only protect servlets. * Assuming that we use sessions to store the authentification details, how do we make sessions work with/without cookies? Extend this to protecting static content via WebKit. * How do we store authentification information in the user session? * How do we guard against session hijacking? * How are password's stored internally? plain or hashed? * How do we interface with arbitrary stores of user information and passwords (flat-file, BSD-DB, ZODB, relational database, LDAP, etc.) * When Webware makes the shift to a multi-application framework, does authentfication span applications? * How do we make the authentification system fall-back to a semi-secure mechanism (e.g. md5 hashes via javascript) when SSL isn't available. * Do we want to enable some sort of IP filtering or automatic IP-userID mapping? * Are we going to block brute-force dictionary attacks with a failed login time-out mechanism? * Are we going to worry about multi-machine failover support? _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
