Just to make things clear, I'm strongly against working on this code (or any other one) for the upcoming release. This might go in a 1.2 or (better) act as a possible foundation for a new version.
Now, a short description of what has been committed, so that you might want to take a look at it. :-) First of all, I decided to try out the JAAS way (I was already thinking about it, and Murray's hint was a good help in that direction): I'm still not that sure that it's the perfect solution for our needs, and I don't think that we might buy the whole JAAS object model, but for basic needs it might be OK.
The good news would be that, once in place, security would be pluggable in a PAM way, so it will be possible to authenticate the Xindice access against an NT domain or against a JDBC datasource. And the other way around: since I scratched out also a JAAS LoginModule, once finished other JAAS compliant applications might be able to authenticate their users against the Xindice userbase.
This is how I layered out my ideas and code: there is be in SystemCollection a collection called SysUsers (it already exists but it's unused) holding an XML document with the user data (very basic ATM: just user, passwords and roles). This is actually an XMLSerializable object, so it's possible to use it in a programmatic way: it might become a singleton instance in Database.java, with an accessor method (here there are some security issues: on top of the TODO list is password encryption). This object will be used for managing the user base (possibly extending the XMLTools?) and, most of all, by the XindiceLoginModule that will be the default LoginModule in the JAAS configuration. Database.getCollection(col, user, password) will instantiate a JAAS LoginContext and serve the requested collection only to authenticated users.
This is of course only the first step, and there are already many problems to solve here. At a very least I see:
1. a chicken and egg problem: we need to ensure that Xindice is able to operate (internally) without authentication, or it won't be able to retrieve and modify even the user data.
2. authorization. this is an hard issue: with this setup we only have the benefit of restricting the full access, as a whole, to unauthenticated users. But is all or nothing: when you are authenticated, you can do everything. To move forward and have at least a readonly mode, we have to seriously tweak the internals. I'm thinking about a Proxy classe for the real Collection (ReadOnlyCollection): do you think it makes sense?
OK, thanks if you have read this far, please feel free to fire at will.
As a final note, I hope that Vladimir will appreciate the TDD. :-)
Ciao,
-- Gianugo
