You are correct, there isn't any way to prevent that from happening.
However, in a relational db, you wouldn't want to put passwords
in the clear :-). I am currently working on a project that has passwords
stored in a db2 database in the clear. We have an effort underway to
encrypt the values. So while your example isn't perfect, the problem
is that there isn't any way to prevent someone from reading the data.
Encrypting the entire database would make searching it very difficult :-).
Currently, you have to restrict access to the directory. If you
are doing
a web based version, then you have to layer security on top in your
application. If you are embedding Xindice in a single user
application,
then that user owns the data so it shouldn't be a problem.
If you are
creating your own server, then you have to restrict access to the directory
where the Xindice data is stored and layer security on in your server.
hth,
Mark
[EMAIL PROTECTED] wrote:
Quoting Murray Altheim <[EMAIL PROTECTED]>:> Gianugo Rabellino wrote:
>
> > [EMAIL PROTECTED] wrote:
> >
> >> I read that the authentication options in Xindice are on the TODO list:
> >> (#ref:
> >> http://marc.theaimsgroup.com/?l=xindice-users&m=101431923219207&w=2)
> >>
> >> I have noticed that the getCollection method has (id,username,password)
> >> where username and password are used to authenticate the access to the
> >> database.
> >>
> >> I was wondering how it is possible to create a collection that is
> >> protected by a (username,password) schema.
> >
> >
> > Not yet. It's still in the TODO, I hope to be able to come up with some
> > kind of (maybe rough) solution shortly.
>
>
> You might look into all the new stuff in Java 1.4 rather than
> inventing something. There's a lot of new APIs, such as the
> Java Cryptography Extension and Java Authentication and
> Authorization Service (JAAS). Between that and the logging
> and preferences APIs it's taking a lot of the grunt work out
> of a project. I currently have my own logging and preferences
> code and am seriously considering dumping it in favour of
> the new APIs (though I'm currently using Java 1.3.1).
>
> Just my 2p.
>
> Murray
>
> ......................................................................
> Murray Altheim <http://kmi.open.ac.uk/people/murray/>
> Knowledge Media Institute
> The Open University, Milton Keynes, Bucks, MK7 6AA, UK
>
> In the evening
> The rice leaves in the garden
> Rustle in the autumn wind
> That blows through my reed hut. -- Minamoto no Tsunenobu
>I will tell you the reason I am asking:
lets say I have a collection for a user called 'Maria', under that
collection I will have one document called 'uid' and two other collections
lets say of personal data.- [Maria]
- uid (doc with username, password)
- [pdata1]
- [pdata2]
- more..now, I write an application that uses Xindice, and authenticate the user
'Maria' with her username&password by the 'uid' document. all fine until now...but, consider a malicious user that knows I am using Xindice. He can easly
write an application that gets the collections of personal data that
resides in the 'Maria' collection. now - he can read all the personal
information without the need to authenticate...Is there some method of avoiding this ?
did anyone before me encounter this problem and find a way to override it ?
Or, is there a hole in my logic ? ;)Thank you - Gianugo Rabellino for your fast response.
Thank you in advance for all you help !
Merry Christmas,
Moran.-------------------------------------------------
This mail sent through JCE IMP: http://portal.jce.ac.il/horde/
Main Web Page http://www.jce.ac.il
--
Mark J Stang
System Architect
Cybershop Systems
begin:vcard n:Stang;Mark x-mozilla-html:TRUE adr:;;;;;; version:2.1 email;internet:[EMAIL PROTECTED] fn:Mark Stang end:vcard
