Elias Torres wrote:
No you are not. I think what Brian is talking about is the fact that we have to place the code in the right place if not we can open ourselves to a DOS attack. For example, he was adding "autoCreate" to the getUser(username) function in UserData or UserManager. I pointed out to him that there are many (40+) calls that use this function like the RollerAtomHandler class. The handler grabs the userid from the auth header and calls UserManager.getUser. If we had autoCreate it would "register" as many users as there are requests to this servlets. Hence, a DOS attack. I'm not against autoCreate, all I'm asking is that we place it in the correct location.
I'm not familiar with the code, but it seems to me that the only "use case" where autoCreate needs to be invoked is login (or perhaps an alternatively-configured behavior of register -- i.e. register would create a rolleruser account *only* if the user already exists in the external registry)
Rather than change an existing method in UserData or UserManager wouldn't this just be a change in a login or register action?
-- Sean
