Kimbro Staken wrote:
We're talking simple here, it really won't be administered very much. I'm thinking one user with one password. This is all temporary to get us through a few versions while a more flexible system is developed.
I'm wondering if it is really worthwhile putting something quick and dirty in untill a better solution is developed. It'd probably be easy to hack something together right now using http auth and clear text in files, but someone will most likely get burnt from such an implementation. Their clear text password file will get read, their non-https connection will get intercepted.
The question I'm asking is, do people consider it important enough to get user authentication in 1.1, even if it means having such an easily defeated model?
Personally, I'd much prefer to have ACL-style connection security before seeing an authentication mechanism in 1.1. To be able to say, "listen on this interface, on this port, but only accept connections from this IP address." (Someone should feel free to correct me if Xindice can already do this, but I've never seen it in the docs..).
In any case, one possibility for Xindice's "proper" user authentication mechanism is JAAS <http://java.sun.com/products/jaas/>. For those who aren't familiar with JAAS, it's a modular user authentication and access control framework (similar or PAM), which lets you use pluggable authentication backends. It's standard in 1.4, optional in 1.3. I've been wanting to have a play with JAAS for a while now, so perhaps integrating into Xindice would be that oppurtunity.
Mike.
-- Mike Gratton <[EMAIL PROTECTED]>, <http://web.vee.net/> "Every motive escalate."
