Community
Participate
Working Groups
Add a security model. Security needs are pervasive. The Eclipse Platform should provide the basic framework for a security mechanism that can be used by all plug-ins, including a simple credentials store and user authentication. Additionally, key parts of the Platform itself should be secured, such the ability to install plug-ins, which might need to be restricted in certain products or for certain users. [Platform Core, Platform Update] [Theme: Rich client platform]
[I've posted this on platform-core-dev and John Arthon suggested to add this here] Coming from the Mac I've learned to love the concept of a "keychain", that is a central place in the OS where passwords are securely stored and were applications can easily get access to (if the keychain is unlocked of course). The benefits of using a keychain is that - users have a single sign-on, - a single policy exists for dealing with passwords, - passwords are securely stored if keychain is locked, - user can lookup and edit their passwords in a safe and secure place if they need to (for example I change my Novell password in my keychain whenever the system forces me to change it and after that I'm sure never to be asked again for the new password from any application) So an API for a Keychain service would probably something like this: getPasswordFromKeychain(...); storePasswordInKeychain(...); Do you think platform specific Keychain support for Eclipse would be feasible? If yes, I can look into the Keychain manager of MacOS X in order to give you more detailled information about how a minimal API could look like.
If Eclipse is to be used as a rich client platform, a security model should be compatibel with J2SE (JAAS, JCE and JSSE) and J2EE (role based security), the latter if a rich client is to be used as client for EJBs or servlets running in an application server.
This originally proposed plan item has been pushed back to deferred and will be addressed post 3.0.
(In reply to comment #3) > This originally proposed plan item has been pushed back to deferred and will be > addressed post 3.0. Very sad to read! The missing security capabilities are the major drawback for using the Eclipse RCP for serious commercial applications. Are there any plans when this item will be addressed?
[LATER->WONTFIX] The "LATER" bugzilla resolution is being removed so reopening to mark as WONTFIX.