----- Original Message ----- From: "Peter M. Goldstein" <[EMAIL PROTECTED]> > > All, > > This is a patch which attempts to resolve some of the more obvious > problems with the current NNTP implementation. Some of the corrections > were: > > i) Parsing of the LIST command and its extensions was badly incorrect. > The parsing is now correct, with all extensions and wildmat parameters > being set as appropriate. > > ii) The GROUP command wiped the previous selected group, even if the > group name passed in didn't correspond to a valid newsgroup.
Could you give a telnet comparison, or the real bug you found. wildmat was not 100% but 99% based on what is used by nntp clients and supported by regex package. > > iii) The auth implementation was completely wrong. This fix needs > further refactoring, but the whole AuthService architecture was badly > designed. It does not allow per-connection authentication, which makes > it useless for our purposes. These changes leave the AuthService class > in place, but move the authRequired configuration to the NNTP server > handler configuration. The AuthService is unused, and should be removed > completely. If flexible, pluggable authentication services are desired > in the future, a new interface and implementation should be used. AuthService alllowed - validation on actual commands, via <isAuthorized> - User Pasword state machine encapsulation. - plugin authentication mechanism. Shouldn't the bug that you found be fixed in AuthService ? Regarding perconnection check in authservice - AuthService is an interface, how can it prevent it ? Another implemenation can be plugged in if need be used differently in the handler. How does AuthService prevent you from doing what you need ? > > iv) Added a number of comments. Found some of the comments distracting. What is the point in cutting and pasting comments that are in base class in the derived class as well ? Wouldn't javadoc take care of this ? It would be better to have protocol conformance or implementation comments instead. > > v) Made the protocol debugging like the SMTP and POP3 debugging. > > vi) Fixed an obvious typo in the TLS support for the NNTP server. > > Problems that still need to be addressed: > > i) Passwords are displayed in the debug log > > ii) The code is very un-robust. Even slightly misformed commands will > lead to nasty errors in the handler. There is no consistent syntax > checking. Is there a way to avoid malformed commands in any protocol. What can be done ? One could throw an exception and stop the connection. Isn't that what was/is happenning. An example would be better. > > iii) The functionality needs a complete sweep to make sure that commands > do what is expected > > iv) The code needs a great deal of refactoring to make it correct and > maintainable. > Excellent points but a bit general. :-) Harmeet -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
