Craig,
Today I was thinking again on the issue we were discussing
last week, and I'm getting more and more convinced, that
we should *not* include the authenticating scheme you proposed
as a default in Turbine.
There is one more point against it: suppose that there is
1000 users online in a web application. Each one of them
is executing actions that require database server interaction.
If we wanted to connect to the database with minimal possible
set of privileges, we would have to make 1000 connections
btween the application and the database, wich would consume
a lot of system resources, or keep a smaller number of
connections destroying them and creating new connections with
apropriate authentication information, as the request from
the clients arrive. This is also unacceptable, because the
amount of processing needed to establish such connection is
often very high. On the other hand, keeping a pool of
identical connections is the best performance scenario, with
the disadvantage that the security issues are sole resposibility
of the application.
This makes me think that your auhtentication scheme would be
useful only if the following conditions are met:
- you have a relatively small number of users, so that the
server is able to sustain the multitude of different conections
- the data that you are processing is sensitive, and you wish
to use database server's security mechanisms as an additional
safeguard for the possible bugs in the application code
- you can cope with the task of creating each user account
manualy (crating user accounts by the application would
be against the previous point)
This brings me to the conclusion, that the default authentication
scheme used by Turbine, should be single user per application,
with the employment of connection pooling.
On the other hand, adding your scheme would be relatively easy,
you would have to override getAuthenticatedUser( String name, String password )
in SecurityService and provide a custom implementation of upcoming
UserManager interface that uses your scheme of authentication.
Once the Service is ready and running, I can assist you in creating
this extension, if you wish.
Rafal
--
Rafal Krzewski
Senior Internet Developer
mailto:[EMAIL PROTECTED]
+48 22 8534830 http://e-point.pl
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
