There are a daemon class and subclasses having their subclasses and so on. The daemon reads credentials (login/password) from a config file. There is singleton AuthManager class which authenticates (via HTTP) by given login/password/hostname on demand and returns AuthInfo class which contains login, password digest, auth token and auth token lifetime. AuthManager caches AuthInfo and removes them from cache on their life end. Each class is able to get AuthManager reference and to authenticate (once it has auth details). As auth token has a lifetime sometime a class must obtain new auth token for the same account. In addition such classes can be used by different thread and using different accounts.
It doesn't look good for me to share login/password between classes (on class instantiation). Keeping them in a daemon but share via public method doesn't look much better.
One more approach is to keep credentials in AuthManager and authenticate and return new AuthInfo on old authToken providing. But it means that all AuthInfo classes must be cached forever or to authenticate separatelly for each class even for the same account. Also it looks like vulnerability.
So my vision is that all classes which require authentication can have AuthInfo (with is login+passDigest+host+authToken+lifetime) but they mustn't know password.
May be there is standard design pattern for current problem or standard libs?
Aucun commentaire:
Enregistrer un commentaire