Sorry for the delay getting back to you on this, I've been sick the past few days. Your arguments make a lot of sense; in the presence of connection pooling, you do want each connection to be privileged so it can be reused by anyone. Hadn't really thought that part through. -----Original Message----- From: Rafal Krzewski [mailto:[EMAIL PROTECTED]] Sent: Friday, September 29, 2000 5:59 AM To: Turbine Subject: Authenticating as a specific user Craig, Today I was thinking again on the issue we were discussing last week, and I'm getting more and more convinced, that we should *not* include the authenticating scheme you proposed as a default in Turbine. There is one more point against it: suppose that there is 1000 users online in a web application. Each one of them is executing actions that require database server interaction. If we wanted to connect to the database with minimal possible set of privileges, we would have to make 1000 connections btween the application and the database, wich would consume a lot of system resources, or keep a smaller number of connections destroying them and creating new connections with apropriate authentication information, as the request from the clients arrive. This is also unacceptable, because the amount of processing needed to establish such connection is often very high. On the other hand, keeping a pool of identical connections is the best performance scenario, with the disadvantage that the security issues are sole resposibility of the application. This makes me think that your auhtentication scheme would be useful only if the following conditions are met: - you have a relatively small number of users, so that the server is able to sustain the multitude of different conections - the data that you are processing is sensitive, and you wish to use database server's security mechanisms as an additional safeguard for the possible bugs in the application code - you can cope with the task of creating each user account manualy (crating user accounts by the application would be against the previous point) This brings me to the conclusion, that the default authentication scheme used by Turbine, should be single user per application, with the employment of connection pooling. On the other hand, adding your scheme would be relatively easy, you would have to override getAuthenticatedUser( String name, String password ) in SecurityService and provide a custom implementation of upcoming UserManager interface that uses your scheme of authentication. Once the Service is ready and running, I can assist you in creating this extension, if you wish. Rafal -- Rafal Krzewski Senior Internet Developer mailto:[EMAIL PROTECTED] +48 22 8534830 http://e-point.pl ------------------------------------------------------------ To subscribe: [EMAIL PROTECTED] To unsubscribe: [EMAIL PROTECTED] Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/> Problems?: [EMAIL PROTECTED] ------------------------------------------------------------ To subscribe: [EMAIL PROTECTED] To unsubscribe: [EMAIL PROTECTED] Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/> Problems?: [EMAIL PROTECTED]
