Hi,
I have a
question that concerns the attempt in (at least) two places in the code to first
use an anonymous cloud and only if it fails retrieve a real one. Why is it
implemented this way? In CloudTag an attempt is made to create an anonymous
cloud and a SecurityException is even thrown if it fails. In
BridgeServlet.getNode the same is done.
Should it not be
left to the security implementation what cloud to use? An implementation of
org.mmbase.security.Authentication delivers an implementation of
org.mmbase.security.UserContext that is used by an implementation of
org.mmbase.security.Authorization to determine what is allowed by that user.
Attempts to use anonymous clouds are attempts to bypass security and should be
avoided, I think.
I do not really have
a good overview on the consequences of removing anonymous cloud usage, but it
seems weird to allow this.
Regards,
Ronald
Wildenberg.
| ||||||||||||||||
-----------------------Disclaimer-------------------------
Dit bericht (met bijlagen) is met grote zorgvuldigheid samengesteld. Voor mogelijke onjuistheid en/of onvolledigheid van de hierin verstrekte informatie kan Kennisnet geen aansprakelijkheid aanvaarden, evenmin kunnen aan de inhoud van dit bericht (met bijlagen) rechten worden ontleend. De inhoud van dit bericht (met bijlagen) kan vertrouwelijke informatie bevatten en is uitsluitend bestemd voor de geadresseerde van dit bericht. Indien u niet de beoogde ontvanger van dit bericht bent, verzoekt Kennisnet u dit bericht te verwijderen, eventuele bijlagen niet te openen en wijst Kennisnet u op de onrechtmatigheid van het gebruiken, kopiëren of verspreiden van de inhoud van dit bericht (met bijlagen).
This message (with attachments) is given in good faith. Kennisnet cannot assume any responsibility for the accuracy or reliability of the information contained in this message (with attachments), nor shall the information be construed as constituting any obligation on the part of Kennisnet. The information contained in this message (with attachments) may be confidential or privileged and is only intended for the use of the named addressee. If you are not the intended recipient, you are requested by Kennisnet to delete this message (with attachments) without opening it and you are notified by Kennisnet that any disclosure, copying or distribution of the information contained in this message (with attachments) is strictly prohibited and unlawful.
----------------------------------------------------------
<<kennisnet.bmp>>
_______________________________________________ Developers mailing list Developers@lists.mmbase.org http://lists.mmbase.org/mailman/listinfo/developers
