On 5/17/07, Dave <[EMAIL PROTECTED]> wrote:
On 5/17/07, Matt Raible <[EMAIL PROTECTED]> wrote:
> I can't argue with 1 or 3, but #2 seems to mean that users will be
> required to use a container that supports OpenSSO or OpenID in order
> get those features. Acegi has OpenID support in its sandbox. When
> that's released, we can integrate it and support OpenID across all app
> servers, not just the ones that support it. Of course, if the mission
> of OpenSSO is to provide a CMA Adapter for all containers, the point
> is mute.
Yes, that's the idea -- everything should be done via standard CMA so
that Roller can take advantage of the authentication features that are
built into app servers.
Again, I'm not proposing this now -- I just mentioned it because the
topic of immutable WAR came up.
One more thing I think we need to remember when considering the switch
back to CMA. The Remember Me implementation we used (and everyone I've
got working with CMA) requires a redirect to the protected resource
with the username/password in the URL. I've tried forwarding (doesn't
work) and using Commons HttpClient to do a post (causes other issues).
If the Roller install doesn't have password encryption turned on,
this means passwords could show up in the log files. Acegi solves this
problem.
I'm guessing that Remember Me wasn't a feature that IBM needed with
their version because they're using SSO. I like remember me,
especially for the installs that won't be using SSO. If we can figure
out a good Remember Me solution that works with CMA and doesn't
require redirecting with the username/password in the URL - that's a
different story.
Matt
