You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "Craig R. McClanahan" <Cr...@eng.sun.com> on 2000/04/06 03:39:07 UTC
[VOTE] The current form-based login implementation in Tomcat 3.1
As Costin has said repeatedly, the current implementation of
authentication and access control in Tomcat 3.1 is "experimental". My
investigations show that it works pretty well for BASIC authentication
(there's still a few things I want to validate here), but the form-based
implementation is not yet complete. My feeling is that it will take
substantial work to get the rest of this done and tested, and that it
would hold up 3.1 final if we waited for it.
Therefore, I propose the following plan of action:
* Finish validating that BASIC authentication works,
so that we can at least offer that level of container
managed authentication support using the
"conf/tomcat-users.xml" file. (I will do this unless
someone else wants to focus on it.)
* Comment out the current code that implements
FORM-based authentication, so that no one will
run into a partially complete implementation. This
will go on the list of things for the next release.
* Change the included security example to use
BASIC authentication instead of FORM-based
authentication, so you can run it out of the box.
* Document all this in the release notes, so that
people will know what to expect. (By the way,
DIGEST and SSL-based authentication are also
not yet supported).
What do you think?
Craig McClanahan
Re: [VOTE] The current form-based login implementation in Tomcat 3.1
Posted by Sim IJskes <si...@nyx.xs4all.nl>.
Jason Hunter wrote:
> How's this for a solution:
>
> Remove the hook that acts on the FORM tag and make it act on
> EXPERIMENTAL_FORM. Let FORM be unsupported. We'll allow a FORM
> entry when we behave according to the spec. Put in the release notes
> that experimenters can use EXPERIMENTAL_FORM. This solution should
> require minimal code changes, accomplishes the main things everyone
> wants, and brings us closer to the spirit of the spec.
Perfect idea!
Gr. Sim
Re: [VOTE] The current form-based login implementation in Tomcat 3.1
Posted by Jason Hunter <jh...@acm.org>.
Craig R. McClanahan wrote:
>
> Sim IJskes wrote:
>
> > "Craig R. McClanahan" wrote:
> >
> > > * Comment out the current code that implements
> > > FORM-based authentication, so that no one will
> > > run into a partially complete implementation. This
> > > will go on the list of things for the next release.
> >
> > Please don't do this! Pretty please?
> >
>
> OK, so who is volunteering to sign up for the bug reports
> we're going to get on this topic -- people are going to try it and
> find out that it doesn't work correctly (as well as not meeting the
> spec) -- in spite of any dire warnings to the contrary in the
> release notes.
Yep, nobody reads release notes.
> Personally, I'm much more comfortable
> with "sorry, it's not supported" than I am with "it's kinda, sorta
> there, but it's broken" which is the current state of the code.
I agree with Craig.
Poorly-implemented security is *not* acceptable in my book. The
fact that the project is open source doesn't change what justifies
release quality. I don't think a commercial entity should ship
partially-working security. Why should we?
Imagine we had no form-based security checked in. Imagine someone
proposed we do a half implementation before release. Would we allow
that?
How's this for a solution:
Remove the hook that acts on the FORM tag and make it act on
EXPERIMENTAL_FORM. Let FORM be unsupported. We'll allow a FORM
entry when we behave according to the spec. Put in the release notes
that experimenters can use EXPERIMENTAL_FORM. This solution should
require minimal code changes, accomplishes the main things everyone
wants, and brings us closer to the spirit of the spec.
-jh-
P.S. Cross-posting on tomcat-dev where this seems to belong. Please
send comments on my proposal to that list alone.
Re: [VOTE] The current form-based login implementation in Tomcat 3.1
Posted by Jason Hunter <jh...@acm.org>.
Craig R. McClanahan wrote:
>
> Sim IJskes wrote:
>
> > "Craig R. McClanahan" wrote:
> >
> > > * Comment out the current code that implements
> > > FORM-based authentication, so that no one will
> > > run into a partially complete implementation. This
> > > will go on the list of things for the next release.
> >
> > Please don't do this! Pretty please?
> >
>
> OK, so who is volunteering to sign up for the bug reports
> we're going to get on this topic -- people are going to try it and
> find out that it doesn't work correctly (as well as not meeting the
> spec) -- in spite of any dire warnings to the contrary in the
> release notes.
Yep, nobody reads release notes.
> Personally, I'm much more comfortable
> with "sorry, it's not supported" than I am with "it's kinda, sorta
> there, but it's broken" which is the current state of the code.
I agree with Craig.
Poorly-implemented security is *not* acceptable in my book. The
fact that the project is open source doesn't change what justifies
release quality. I don't think a commercial entity should ship
partially-working security. Why should we?
Imagine we had no form-based security checked in. Imagine someone
proposed we do a half implementation before release. Would we allow
that?
How's this for a solution:
Remove the hook that acts on the FORM tag and make it act on
EXPERIMENTAL_FORM. Let FORM be unsupported. We'll allow a FORM
entry when we behave according to the spec. Put in the release notes
that experimenters can use EXPERIMENTAL_FORM. This solution should
require minimal code changes, accomplishes the main things everyone
wants, and brings us closer to the spirit of the spec.
-jh-
P.S. Cross-posting on tomcat-dev where this seems to belong. Please
send comments on my proposal to that list alone.
Re: [VOTE] The current form-based login implementation in Tomcat 3.1
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Sim IJskes wrote:
> "Craig R. McClanahan" wrote:
>
> > * Comment out the current code that implements
> > FORM-based authentication, so that no one will
> > run into a partially complete implementation. This
> > will go on the list of things for the next release.
>
> Please don't do this! Pretty please?
>
OK, so who is volunteering to sign up for the bug reports we're going to get
on this topic -- people are going to try it and find out that it doesn't work
correctly (as well as not meeting the spec) -- in spite of any dire warnings
to the contrary in the release notes. Personally, I'm much more comfortable
with "sorry, it's not supported" than I am with "it's kinda, sorta there, but
it's broken" which is the current state of the code.
>
> Gr. Sim
>
Craig
>
> --------------------------------------------------------------------------
> To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commmands, email: tomcat-user-help@jakarta.apache.org
Re: [VOTE] The current form-based login implementation in Tomcat 3.1
Posted by Sim IJskes <si...@nyx.xs4all.nl>.
"Craig R. McClanahan" wrote:
> * Comment out the current code that implements
> FORM-based authentication, so that no one will
> run into a partially complete implementation. This
> will go on the list of things for the next release.
Please don't do this! Pretty please?
Gr. Sim
Re: [VOTE] The current form-based login implementation in Tomcat 3.1
Posted by Jason Hunter <jh...@acm.org>.
"Craig R. McClanahan" wrote:
> Therefore, I propose the following plan of action:
> * Finish validating that BASIC authentication works,
> * Comment out the current code that implements
> * Change the included security example to use
> * Document all this in the release notes, so that
+1
-jh-
Re: [VOTE] The current form-based login implementation in Tomcat 3.1
Posted by Hans Bergsten <ha...@gefionsoftware.com>.
"Craig R. McClanahan" wrote:
>
> As Costin has said repeatedly, the current implementation of
> authentication and access control in Tomcat 3.1 is "experimental". My
> investigations show that it works pretty well for BASIC authentication
> (there's still a few things I want to validate here), but the form-based
> implementation is not yet complete. My feeling is that it will take
> substantial work to get the rest of this done and tested, and that it
> would hold up 3.1 final if we waited for it.
>
> Therefore, I propose the following plan of action:
>
> * Finish validating that BASIC authentication works,
> so that we can at least offer that level of container
> managed authentication support using the
> "conf/tomcat-users.xml" file. (I will do this unless
> someone else wants to focus on it.)
>
> * Comment out the current code that implements
> FORM-based authentication, so that no one will
> run into a partially complete implementation. This
> will go on the list of things for the next release.
>
> * Change the included security example to use
> BASIC authentication instead of FORM-based
> authentication, so you can run it out of the box.
>
> * Document all this in the release notes, so that
> people will know what to expect. (By the way,
> DIGEST and SSL-based authentication are also
> not yet supported).
>
> What do you think?
+1. as long as BASIC authentication is left in 3.1.
Hans
--
Hans Bergsten hans@gefionsoftware.com
Gefion Software http://www.gefionsoftware.com
Re: [VOTE] The current form-based login implementation in Tomcat 3.1
Posted by Anil Vijendran <An...@eng.sun.com>.
"Craig R. McClanahan" wrote:
> Therefore, I propose the following plan of action:
>
> * Finish validating that BASIC authentication works,
> so that we can at least offer that level of container
> managed authentication support using the
> "conf/tomcat-users.xml" file. (I will do this unless
> someone else wants to focus on it.)
+1.
> * Comment out the current code that implements
> FORM-based authentication, so that no one will
> run into a partially complete implementation. This
> will go on the list of things for the next release.
No need for this. This is a product whose source code is available to users
not just for browsing but also for understanding and begin contributing.
I see something like this as a very likely candidate for people to
understand and try to complete -- good bait for more committers.
As long as the release notes clearly and unambiguously document what the
deal is here -- what it is, how in/complete it is, and what to expect/not
expect out of it -- we're fine.
> * Change the included security example to use
> BASIC authentication instead of FORM-based
> authentication, so you can run it out of the box.
+1.
> * Document all this in the release notes, so that
> people will know what to expect. (By the way,
> DIGEST and SSL-based authentication are also
> not yet supported).
+5.
--
Peace, Anil +<:-)
Re: [VOTE] The current form-based login implementation in Tomcat 3.1
Posted by Costin Manolache <co...@eng.sun.com>.
+1 for going on with 3.1 without waiting for "perfect" login implementation.
-1 on "commenting out" the code for form based authentication - it's an
open source project, and this is not the last release - just something that
is better than previous.
Authentication and security are experimental and have to remain that until
enough time passes by and enough people will review the code. We can't
claim we support BASIC, and the whole point of adding the code was to allow
people to play with the concepts in the servlet API - including form based
login.
-1 on claiming we support any form of authentication in 3.1 - I wrote some
of the code and I wouldn't trust it as "security" - we are talking about
2-3 days of coding, and few people who took a look.
If we decide to comment out all "incomplete" code - probably we'll end up
with 1/2 of tomcat.
Costin
> implementation is not yet complete. My feeling is that it will take
> substantial work to get the rest of this done and tested, and that it
> would hold up 3.1 final if we waited for it.
>
>
> Therefore, I propose the following plan of action:
>
> * Finish validating that BASIC authentication works,
> so that we can at least offer that level of container
> managed authentication support using the
> "conf/tomcat-users.xml" file. (I will do this unless
> someone else wants to focus on it.)
>
> * Comment out the current code that implements
> FORM-based authentication, so that no one will
> run into a partially complete implementation. This
> will go on the list of things for the next release.
>
> * Change the included security example to use
> BASIC authentication instead of FORM-based
> authentication, so you can run it out of the box.
>
> * Document all this in the release notes, so that
> people will know what to expect. (By the way,
> DIGEST and SSL-based authentication are also
> not yet supported).
>
> What do you think?
>
> Craig McClanahan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
Re: [VOTE] The current form-based login implementation in Tomcat
3.1
Posted by Shachor Gal <sh...@techunix.technion.ac.il>.
>
> * Finish validating that BASIC authentication works,
> so that we can at least offer that level of container
> managed authentication support using the
> "conf/tomcat-users.xml" file. (I will do this unless
> someone else wants to focus on it.)
>
+1, But do not make that a show stopper, security is clearly not a
finished issue (clear text passwords for once) and it will require
more work in the future releases.
>
> * Comment out the current code that implements
> FORM-based authentication, so that no one will
> run into a partially complete implementation. This
> will go on the list of things for the next release.
>
-1
>
> * Change the included security example to use
> BASIC authentication instead of FORM-based
> authentication, so you can run it out of the box.
>
> * Document all this in the release notes, so that
> people will know what to expect. (By the way,
> DIGEST and SSL-based authentication are also
> not yet supported).
>
+1 Documenting is very important but we should not claim that we
have working security (meaning a release level implementation).
1. Not enough tests
2. Not enough inspection
The security that is provided (for now) by Tomcat cannot be used for
any real use, lets document that in the release notes and have a working
security system in the next release.
Gal Shachor