james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Peter M. Goldstein" <peter_m_goldst...@yahoo.com>
Subject RE: [PATCH] NNTP Server fixes
Date Wed, 02 Oct 2002 05:42:55 GMT


> You were pointing out a problem in the AuthService, I am suggesting
> the AuthService with something that addresses what you laid out in
> email (replace with AuthServiceFactory - also suggested by you).
> We may be talking about the same thing.

No, we really aren't.

You're not reading my comments.  My points are as follows:

i) Current solution is broken, not only implementation-wise but also

ii) Correctly designing a pluggable, flexible, correct
authentication/authorization mechanism is highly non-trivial.  It
requires time, effort, and knowledge (and potentially use) of current
auth APIs.  There are a number of subtleties, and I'm sure there will be
some strong divergent opinions among the developers.  If you rush it,
you get things like the current AuthService - incorrect, inflexible, and
locked tightly to a particular code base.

We do not have the time to do this properly without pushing out the
release.  There is very obviously not a user base aggressively demanding
this feature, as it's been broken for at least nine months.  So it, like
a number of other things, can get pushed off to the next revision.

> > have an extensive background in authentication and authorization -
> > really feel that the AuthService should be retired.
> Agreed, why don't you fix the rest, I'll address the AuthSevice if you
> like.
> Don't have lot of Auth and Authorization software experience but my
> professional job is security. (not often bug free though). Please feel
> free
> to review it.

As per the above, no.
> Regarding comments etc.
> - How about use @see where possible and

Yep, as I agreed earlier.

> - Not do javadocs on private methods/variables. There does not really
> to be a gain in javadoc for implementation details.

Absolutely not.  All methods/variables should be documented.  I don't
understand how you can say there is no gain in javadocing implementation
details.  The primary goal of documentation is to convey an
understanding of the code to developers other than the author.
Implementation details are just as critical as anything else.  So they
should receive the same level of documentation.


To unsubscribe, e-mail:   <mailto:james-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:james-dev-help@jakarta.apache.org>

View raw message