Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 37692

Summary: [plan item] Add a security model
Product: [Eclipse Project] Platform Reporter: Jim des Rivieres <jeem>
Component: RuntimeAssignee: DJ Houghton <dj.houghton>
Status: RESOLVED WONTFIX QA Contact:
Severity: enhancement    
Priority: P4 CC: abrennan, andre_weinand, bugzilla, danrubel, gunnar, jaltman, jed.anderson, v.vachhani, victor
Version: 2.1Keywords: plan
Target Milestone: ---   
Hardware: All   
OS: All   
Whiteboard:

Description Jim des Rivieres CLA 2003-05-15 11:17:22 EDT 
Add a security model. Security needs are pervasive. The Eclipse Platform 
should provide the basic framework for a security mechanism that can be used 
by all plug-ins, including a simple credentials store and user authentication. 
Additionally, key parts of the Platform itself should be secured, such the 
ability to install plug-ins, which might need to be restricted in certain 
products or for certain users. [Platform Core, Platform Update] [Theme: Rich 
client platform]
Comment 1 Andre Weinand CLA 2003-07-24 06:01:11 EDT 
[I've posted this on platform-core-dev and John Arthon suggested to add this here]

Coming from the Mac I've learned to love the concept of a "keychain", that is a central place in the  
OS where passwords are securely stored and were applications can easily get access to (if the 
keychain is unlocked of course).

The benefits of using a keychain is that
- users have a single sign-on,
- a single policy exists for dealing with passwords,
- passwords are securely stored if keychain is locked,
- user can lookup and edit their passwords in a safe and secure place if they need to
  (for example I change my Novell password in my keychain whenever the system forces me to
  change it and after that I'm sure never to be asked again for the new password from any
  application)

So an API for a Keychain service would probably something like this:
getPasswordFromKeychain(...);
storePasswordInKeychain(...);

Do you think platform specific Keychain support for Eclipse would be feasible?
If yes, I can look into the Keychain manager of MacOS X in order to give you more detailled
information about how a minimal API could look like.
Comment 2 Juergen Weber CLA 2003-12-03 10:13:22 EST 
If Eclipse is to be used as a rich client platform, a security model should be
compatibel with J2SE (JAAS, JCE and JSSE) and J2EE (role based security), the
latter if a rich client is to be used as client for EJBs or servlets running in
an application server.
Comment 3 DJ Houghton CLA 2004-04-15 10:45:39 EDT 
This originally proposed plan item has been pushed back to deferred and will be
addressed post 3.0.
Comment 4 Dirk Hagener CLA 2005-03-17 10:53:48 EST 
(In reply to comment #3)
> This originally proposed plan item has been pushed back to deferred and will 
be
> addressed post 3.0. 

Very sad to read! The missing security capabilities are the major drawback for 
using the Eclipse RCP for serious commercial applications. Are there any plans 
when this item will be addressed?
Comment 5 John Arthorne CLA 2009-08-18 16:15:12 EDT 
[LATER->WONTFIX] The "LATER" bugzilla resolution is being removed so reopening to mark as WONTFIX.
Comment 6 John Arthorne CLA 2009-08-18 16:21:09 EDT 
[LATER->WONTFIX] The "LATER" bugzilla resolution is being removed so reopening to mark as WONTFIX.