Hi,
I have a comment and a question/suggestion. Depending on your interes, you
may skip or read the comment.
*COMENT*
Today i started looking at the Security Service of turbine at it was exactly
what i was looking for.
(Unless i am iterpreting it wrong).
The application that i am developing is a Web based Managment Console for an
array of our Directory and Messaging products. The trubine security groups
concept (if I have intepreted properly) follows exactly the model that we
are trying model in our application.
For our case, each application managed by the Managment Console would have
its own set of Security Group.
I think that Turbine Security model may be inspired in the idea of a user
being granted a role (out of a extendible predefined role set). This means
that Roles may or may not end up participating a a security group depending
weather a user is granted that role on a particular group.
In my case i have 2 paths to follow from here when assigning permission to
my roles.
1) each application attaached (in a pluggable way) to my console appends its
a set of permission to the predefined (but exntedible) roles, or
2) each pluggable application provides its own set of roles (with
configurable permissions) and only these role are allowed to be assigned to
users of the applications securtiy groups.
*REQUEST/SUGGESTION*
As much as I like your simple yet effective ACL strategy I am still trying
to understand the inspiration behind your User object -
Username/Pasword/First Name/Last Name/Email?
I belive that your authentication mechanism revolves arround the simple user
name password combo client side authentication. This makes things ackward
when tyring to use a different type of authentication mechanism.
Did you ever considered adding a level of inderection in your security
package to use the java.security.principal instead of the username,
Credentials instead of Password. Also wouldnt it be better that stuff like
FirstName, LastName, Email be encapsulated inside a UserInfo Class/Interface
referenced inside the User object.
has anyone looked at the JAAS model. I may be trying to either combine or
implement something like JAAS that would work in Turbine (at least for my
project). Turbine Authorization model to get some more flexibility on
authentication. I have to be able to offer solutions that use OS
Authentication and LDAP authentication. Some are even sugesting
certificates.
By the way is there any LDAP User implementation already?
Sarb
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
