Re: [smartweb-devel] Requirements for auth module
Brought to you by:
rlogiacco
Menu
▾
▴
Re: [smartweb-devel] Requirements for auth module
|
From: rlogiacco <rlo...@us...> - 2007-07-31 13:23:31
|
Other requirements I've missed are: #. do not store clear password, instead store an hash of the password and on login check the providen password produces the same hash; #. add a new status to mark users who MUST change their password on logon (usefull for many actions); #. add "password forgotten" functionality which must generate a new password, replace the old one and allow the caller to notify the new password to the user (by email, on screen, by SMS or any other communication channel you can think of). rlogiacco wrote: > > Anyway, returning to the topic, I'm here to define the requisites of the > module to share and clarify them once and for all. > > 1. users and groups should be threated in a similar manner being > interchangeable; > 2. the administrator must be able to tell the module "allow user/group X > to operate in the role Y only if the function operates on object of type Z > and id N [ and current time is between 8am and 6pm ]" with the last part > optional and customizable; > 3. permissions and rules should be customizable through a configuration > file without intervention into the code, allowing a method level > granularity similarly to the EJB security constraints; > 4. users are stored by default on database, but other sources for datas > (LDAP for example) should be configurable; > 5. no constraints between the auth module datas and other modules to allow > deployment on separate databases; > 6. no class constraints and no requirements on the classes using the > module: as stated before the security constraint should be activatable at > configuration time (AOP should be the solution); > 7. customizability both of authentication process and authorization > process like "no logins for users in role X between 8pm and 8am" or > "disallow requests to function F if more than 5 users already logged" > through custom classes and configuration; > 8. ability to load balance the module with the web application; > 9. ability to check credentials both on presentation tier "show this field > only if user is authorized" and on business tier "allow this operation > only if user is authorized" > 10. support for distributed presentation and business tiers (on two or > more servers) and implicit transmission of credentials (needs integration > with JAAS) > > Have I forgot something? > > Roberto > -- View this message in context: http://www.nabble.com/Requirements-for-auth-module-tf3513039s17546.html#a11923937 Sent from the SmartWeb Developers mailing list archive at Nabble.com. |
