On 6/21/07, David Leangen <[EMAIL PROTECTED]> wrote: > I need to start thinking about authentication. I noticed that in Pax > Wicket SNAPSHOT, there are now a few docs that discuss this, and I'll be > looking into that in detail very soon. > > For now, I thought I'd ask your advice from the backend perspective. > I've never developed this before, so maybe those with more experience > could help me out. > > It seems to me that I'll need to store, for each user: > > - username > - password > - lastlogin > - roles > > Does that sound right?
Not sure what you want to do with "lastlogin", but the default Authenticator in Pax Wicket will use OSGi's User Admin service spec, to enable re-use of clever new implementations there. > What issues should I consider, with regards to security especially and > also stability and usability? Try to delegate the problem away from your application as much as possible. In an enterprise environment, you will be required to integrate into the LDAP or Identity Management system in use there, and possibly be Single-Sign On capable. > Or, are there any good articles or books that could help me consider > some of the issues I'll need to deal with? Ideally, you don't need to do much. It would make sense that Pax Wicket's Authenticator plus the OSGi User Admin service is engaged, and SAML and/or CAS support is developed collaboratively. Expect to see Apache Directory server to have SAML (Web SSO at least) support somewhere over the next few months. Meanwhile, use the simple OSGi User Admin just to have something running for your client, and when ApacheDS SAML work is done, we can make the bridge for it here in OPS4J. Cheers Niclas _______________________________________________ general mailing list [email protected] http://lists.ops4j.org/mailman/listinfo/general
