[Geoserver-devel] GSIP-71: few comments

Hi Justin,
I taken a quick look at GSIP 71.

It looks good, I fully agree to have a Users/Groups database/service instead of ralying on user.properties, and absolutely agree with password encryption and policies.

I don’t understand very well why we need a role based password though, if it’s your specific need, it’s fine for me.

Moreover, given this good amount of work, I would suggest also the following (if it’s not much work):

  • users/groups enable/disable
  • password expiration
  • possible extension for registration forms?

Finally it’s not very clear on the proposal, or at least to me, how we can extend the security mechanism in order to authenticate against other AA systemas like LDAP, CAS or similar.
Do you planning to rely on spring-security stuff?

Regards,
Alessio.


Ing. Alessio Fabiani
Founder / CTO GeoSolutions S.A.S.

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy

phone: (+39) 0584 96.23.13
fax: (+39) 0584 96.23.13
mobile:(+39) 331 62.33.686

http://www.geo-solutions.it
http://geo-solutions.blogspot.com
http://www.linkedin.com/in/alessiofabiani
https://twitter.com/alfa7961
http://twitter.com/geosolutions_it

Ciao Alessio,

Thanks for the feedback, comments inline.

On Mon, Feb 27, 2012 at 8:50 AM, Alessio Fabiani <alessio.fabiani@anonymised.com> wrote:

Hi Justin,
I taken a quick look at GSIP 71.

It looks good, I fully agree to have a Users/Groups database/service instead of ralying on user.properties, and absolutely agree with password encryption and policies.

I don’t understand very well why we need a role based password though, if it’s your specific need, it’s fine for me.

Sorry, I am not sure I understand what you mean?

Moreover, given this good amount of work, I would suggest also the following (if it’s not much work):

  • users/groups enable/disable
  • password expiration
  • possible extension for registration forms?

All good stuff. Enabling/disabling users/groups is actually already implemented.

Finally it’s not very clear on the proposal, or at least to me, how we can extend the security mechanism in order to authenticate against other AA systemas like LDAP, CAS or similar.
Do you planning to rely on spring-security stuff?

Yeah, Andrea brought this up as well and I plan to write some more developer oriented docs. And yes, everything is more or less based on spring security although we have more or less came up with our own framework on top, that is what still needs to be documented.

Regards,
Alessio.


Ing. Alessio Fabiani
Founder / CTO GeoSolutions S.A.S.

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy

phone: (+39) 0584 96.23.13
fax: (+39) 0584 96.23.13
mobile:(+39) 331 62.33.686

http://www.geo-solutions.it
http://geo-solutions.blogspot.com
http://www.linkedin.com/in/alessiofabiani
https://twitter.com/alfa7961
http://twitter.com/geosolutions_it


Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2


Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.