portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Santiago Gala <sg...@hisitech.com>
Subject Re: Informal Meeting @ Collab
Date Tue, 08 Jan 2002 01:21:46 GMT
Martin Poeschl wrote:

> Santiago Gala wrote:
>> David Sean Taylor wrote:
>> <snip/>
>>> For those of you who can't make it, if you'd like to send me a list of
>>> questions/issues, I'd be glad to relay your questions at the meeting.
>> I would like to know  about the evolution of the security stuff in 
>> Turbine. There are two issues that our team has problems with:
>> - Mixture between authentication/user management in the Turbine 
>> security model. You cannot have, for instance, user information in 
>> DB, while authenticating against LDAP or JAAS services. In a lot of 
>> our setups, we need to have users authenticated from a corporate 
>> source, which we *cannot* use to store user information. While this 
>> is relatively simple to patch, having separate services for user 
>> management and authentication/security would enable cleaner plugin of 
>> modules.
>> - Evolution towards a standard java security model. I have always 
>> preferred the java.security.Principal, etc. classes for security. I 
>> think we will be in trouble with the security model unless we build 
>> on top of the standard java security classes. If you see my previous 
>> point, ideally, authentication/security checks should be left to the 
>> servlet container, while user management can be dealt with at the 
>> turbine level.
>> I would be interested on feed back on these issues, specially on how 
>> people is working.
>> Thanks in advance
>> <snip/>
> a discussion about a new security modell started at the turbine-dev 
> list yesterday ... everyone interessted is invited to subscribe and 
> participate ;-)

Do you mean the thread "How to extend TURBINE_USER - a solution to the 
documented problem", later "Proposal for a new security model" in 

It supports the point I was making about separation of 
authentication/security checks vs. persistence and profile management.

I am much more concerned about the second point up in the quoted 
message. I will post there my feelings, but my basic feelings is that 
authentication and basic security belong to the servlet container, or, 
better, to the VM. We should plug and extend the standard java 2 
interfaces and classes for this.

In this area, trying to re-invent the wheel is a mess, because testing 
and quality assurance will be very great. With JAAS bundled in jdk1.4 
(or available as a extension in jdk1.2+), we already have authentication 
against PAM, LDAP and NT security, and also a fine grained and tested 
security model that is already there in Tomcat-4.

Inside a portlet container we cannot trust, for instance, that a portlet 
will not call data.getUser.getPassword() and send the password of a user 
by e-mail. So, we should use java.security.Principal as our base for 
security, and have it related with a UserProfile class, where we store 
whatever info is needed for Turbine, Jetspeed and other apps.

I will post in turbine-user.

Thanks for the warning. I read threaded e-mail, and the mail could have 
pass unnoticed for a long time.


To unsubscribe, e-mail:   <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>

View raw message