Re: authentication question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

[tangent alert]

On Tue, May 12, 2009 at 10:05:41AM +0200, Peter Schober wrote:
[other good advice trimmed]
> > > Your problem will be to make the various applications running under 
> > > Apache aware of the single sign-on.
> 
> This is indeed as much an art as a science. Every self-respecting
> application has it's own user store, authentication mechanism, login
> form, session mechanism, etc. (which is understandable, since it can't
> expect everyone to have the necessary parts already in place).

This much is inevitable.

> So each and every application needs to be modified to rely on
> externally provided authentication (preferrably via replying on
> REMOTE_USER already being set by some mod_*), refrain from insisting
> to collect username+password itself (and impersonate the user to other
> services with them that way), possibly even "outsourcing" it's session
> management (also take into account terminiating thise several
> different sessions, one for the SSO system, one for the application,
> with different timeouts, idle timeouts and consequences for the user
> experience.)

This is not inevitable and it is most unfortunate.  Any
self-respecting application which uses authentication ought not
require us to hack it after the fact to use the methods required by
its environment.  A built-in authentication method ought to be
separated from the main application by a plugin interface *from day
one*, and it should be possible to simply leave it unplugged and plug
in something else if you have one.  We all should pay more attention
to keeping authentication, authorization, and identity separate and to
keeping their specific methods separable from the app.s we build.

And we need to pound on this point with others who build app.s for us,
until it goes in.  I've lost count of the number of products which
would have met our needs *except* that they had only a toy
authentication mechanism wired in with no possibility of bypassing it.

[end rant]

-- 
Mark H. Wood, Lead System Programmer   mwood@xxxxxxxxx
Friends don't let friends publish revisable-form documents.

Attachment: pgp9BUJEYpgCR.pgp
Description: PGP signature

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux