Quoting Murray Altheim <[EMAIL PROTECTED]>:
> Gianugo Rabellino wrote:
>
> > [EMAIL PROTECTED] wrote:
> >
> >> I read that the authentication options in Xindice are on the TODO list:
> >> (#ref:
> >> http://marc.theaimsgroup.com/?l=xindice-users&m=101431923219207&w=2)
> >>
> >> I have noticed that the getCollection method has (id,username,password)
> >> where username and password are used to authenticate the access to the
> >> database.
> >>
> >> I was wondering how it is possible to create a collection that is
> >> protected by a (username,password) schema.
> >
> >
> > Not yet. It's still in the TODO, I hope to be able to come up with some
> > kind of (maybe rough) solution shortly.
>
>
> You might look into all the new stuff in Java 1.4 rather than
> inventing something. There's a lot of new APIs, such as the
> Java Cryptography Extension and Java Authentication and
> Authorization Service (JAAS). Between that and the logging
> and preferences APIs it's taking a lot of the grunt work out
> of a project. I currently have my own logging and preferences
> code and am seriously considering dumping it in favour of
> the new APIs (though I'm currently using Java 1.3.1).
>
> Just my 2p.
>
> Murray
>
> ......................................................................
> Murray Altheim <http://kmi.open.ac.uk/people/murray/>
> Knowledge Media Institute
> The Open University, Milton Keynes, Bucks, MK7 6AA, UK
>
> In the evening
> The rice leaves in the garden
> Rustle in the autumn wind
> That blows through my reed hut. -- Minamoto no Tsunenobu
>
I will tell you the reason I am asking:
lets say I have a collection for a user called 'Maria', under that
collection I will have one document called 'uid' and two other collections
lets say of personal data.
- [Maria]
- uid (doc with username, password)
- [pdata1]
- [pdata2]
- more..
now, I write an application that uses Xindice, and authenticate the user
'Maria' with her username&password by the 'uid' document. all fine until now...
but, consider a malicious user that knows I am using Xindice. He can easly
write an application that gets the collections of personal data that
resides in the 'Maria' collection. now - he can read all the personal
information without the need to authenticate...
Is there some method of avoiding this ?
did anyone before me encounter this problem and find a way to override it ?
Or, is there a hole in my logic ? ;)
Thank you - Gianugo Rabellino for your fast response.
Thank you in advance for all you help !
Merry Christmas,
Moran.
-------------------------------------------------
This mail sent through JCE IMP: http://portal.jce.ac.il/horde/
Main Web Page http://www.jce.ac.il
