On 12/31/05, Sean Gilligan <[EMAIL PROTECTED]> wrote: > Elias Torres wrote: > > > > No you are not. I think what Brian is talking about is the fact that > > we have to place the code in the right place if not we can open > > ourselves to a DOS attack. For example, he was adding "autoCreate" to > > the getUser(username) function in UserData or UserManager. I pointed > > out to him that there are many (40+) calls that use this function like > > the RollerAtomHandler class. The handler grabs the userid from the > > auth header and calls UserManager.getUser. If we had autoCreate it > > would "register" as many users as there are requests to this servlets. > > Hence, a DOS attack. I'm not against autoCreate, all I'm asking is > > that we place it in the correct location. > > I'm not familiar with the code, but it seems to me that the only "use > case" where autoCreate needs to be invoked is login (or perhaps an > alternatively-configured behavior of register -- i.e. register would > create a rolleruser account *only* if the user already exists in the > external registry) > > Rather than change an existing method in UserData or UserManager > wouldn't this just be a change in a login or register action?
Correct. My version of the code did it in RollerSession when the UserData bean is placed in the session *only* after you've logged in, meaning that you are a valid directory user. > > -- Sean > -elias
