Anton, Rana, It is possible that I miss this point from Rana letter, so I don't quite understand what is his viewpoint about.
But anyway, with current implementation FileSystemManager will must expect User to be instance of BaseUser. So, I agree, that such checks should have place, but I want to get FileSystemManager chanses to have application-specific User classes. *"Dividing the credentials (as a term, not a class) into User and Credentials where they are used separately, depending on implementation and the state the request is at doesn't sound as a good idea to me."* I don't fully understand the idea of using Credentials for anything, except storing username between USER and PASS command. Ok, ok, I can just replace Credentials class with tmpUserName field, if it is more understandable. I never said that Credentials should be used instead of User anywere, except USER & PASS commands. Implementing JAAS is intresting, but it is more complex for simple FTPServer. And I don't remember what is license terms of jaas.jar from Sun(r). Sergey 2006/5/5, Anton Goldberg <[EMAIL PROTECTED]>:
Hi, I agree with the Rana's viewpoint from the previous letter. If any component depends upon specific implementation/functionality of User implementation, it's a configuration problem. FtpServer implementation in such a case must be configured to use an appropriate UserManager implementation and the component in question (FileSystemManager) should check the class of User and take an action if the User is not what it expected (fail fast). Dividing the credentials (as a term, not a class) into User and Credentials where they are used separately, depending on implementation and the state the request is at doesn't sound as a good idea to me. In general, if the general opinion is that security implementation needs to be more standard/powerful/complex we should consider implementing JAAS or more modern frameworks. P.S. Chances are this email will not show up in the list bcs for some reason all emails from me to the list are going to the big hard drive in the sky. I'm working on a solution for this problem (sending emails to apache@ and infrastructure@) but that's the state things are right now. -- Anton
-- Sergey Vladimirov
