Gonzalo Diethelm wrote:
Yeah, old issue, big can'o worms.

I participated in that old thread months (actually, I think it was more
than a year) ago. I still believe we should go this route:

* Everything is based on interfaces.
* There is a security manager interface that provides two methods:
  one to authenticate a user given their credentials (to login),
  and one to determine whether a user is authorized to do something.
  Nothing more, nothing less.
* From here on, there are several choices. I personally have an
  implementation of a concrete security manager that is pluggable:
  you specify how you authenticate and authorize (via objects that
  themselves implement a couple of generic interfaces). This means
  that I can then implement concrete authenticators and authorizers
  that, for example, replicate the current Turbine DB-based service,
  or I can implement null operators, etc., and switch from one to
  the other via TR.props. It also means that Turbine could ship with
  a default, simpler security implementation (null) AND a DB-based
  implementation that can be turned on if the user so desires.

Just my opinions. Regards,


--
Gonzalo A. Diethelm
[EMAIL PROTECTED]
Speaking of this topic, I had an idea one night about security. After a couple hours I came up with this:

http://dan.envoisolutions.com/jasf/

It seems to be pretty flexible, but I'm not sure everyone would like using it. I wanted something where I could authenticate not only webpages, but other resources - such as access to various components in my system. I even wrote a XML user and permission based system for it.

Thoughts?

- Dan Diephouse



--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to