DOJO and Security

Ranch Hand

Posts: 190

posted 15 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

What is your prefered method of implementing security (authentication/authorization) with a sovereign DOJO application?

Does your book contain any best practice examples of this?

Frank Zammetti

Ranch Hand

Posts: 136

posted 15 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

No, the book doesn't discuss that at all because I'm not sure what the use case would be. Well, I take that back, I can think of some situations... a sovereign webapp run in a library for example, you might want to have the concept of users that maybe stores settings in Gears or something like that.

That being said, I think that's maybe a bit of an unusual use case... I think typically you tend to assume that a sovereign webapp is run by one user, since it's on their machine. Think of it like MS Word or something... you don't have to log in to use it, even though you may have some user-specific settings (initials for example).

Then again, a counter-example would be Firefox, where you have profiles. But even in that case there's nothing like authentication or logging in, there's simply switching profiles.

I haven't done much thinking about this I'll admit, so I'm just kind of throwing out some ideas here. But the answer to your question in any case is no, this isn't discussed in the book at all and I don't at present have any preferred method to do this.

-- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies <a href="http://www.omnytex.com" target="_blank" rel="nofollow">http://www.omnytex.com</a> AIM/Yahoo: fzammetti MSN: fzammetti@hotmail.com Author of "Practical Ajax Projects With Java Technology" (2006, Apress, ISBN 1-59059-695-1) and "JavaScript, DOM Scripting and Ajax Projects" (2007, Apress, ISBN 1-59059-816-4) Java Web Parts - <a href="http://javawebparts.sourceforge.net" target="_blank" rel="nofollow">http://javawebparts.sourceforge.net</a> Supplying the wheel, so you don't have to reinvent it!

Chris Boldon

Ranch Hand

Posts: 190

posted 15 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Thanks Frank. It is a rather interesting case, which is why I bring it up. It is one of those things I'd like to see presented, and see how someone else addresses the issue.

In any event, I look forward to taking a look at your book.

Frank Zammetti

Ranch Hand

Posts: 136

posted 15 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

Yeah, I'm with you, it's something I'd like to hear about too. I suspect there's probably only a limited set of cases where it would come into play, but they are interesting cases and worth discussing.

I suppose the way you could tackle it is that every time a user "registers", the app creates a separate Gears database for them, with the password stored in it in an encrypted form. This is in no way, shape or form 100% secure, but it's probably good enough for many situations. That way, the data is segregated and should, to a first approximation, be somewhat safe from others. Of course, you can just hack the SQLLite database files, but like I said, to a first approximation that might be an acceptable risk.

I think I remember seeing Dojo including some encryption support on top of Gears, but I'm not sure the status of that or how robust it is, or how far along it is, that could be another good, helpful piece of the puzzle.

Don't get me started about those stupid light bulbs.