avalon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "MCCAY,LARRY (HP-NewJersey,ex2)" <lawrence_mccay-...@hp.com>
Subject Security - AAA implementation [was RE: DefaultRoleManager in Cor nerstone]
Date Thu, 17 Jan 2002 22:00:09 GMT
Hello all,

I am hoping to propose an implementation of AAA Security functionality for

Based on a breif discussion with Peter (below), the design would have a J2EE
flavor for roles-based access control.

Some of the components to make up the implementation would be:
	* Identity Manager for access to user identity and attribute
information through disperate user registries.
	* Pluggable Realms to abstract the underlying user registry access -
initially XMLRealm, JDBCRealm, JNDIRealm
	* Role Manager for managing the mapping of identity principals to
	* Authority Manager for making access decisions for specific users
to specific resources
	* Authentication Manager - verfies the identity of user against the
user registry - one concrete implementation would be an abstraction of the
use of JAAS.
	* Auditing Manager for recording relevant security related events
	* Administration interfaces to be exposed through JMX

The initial test-bed will be the AvalonDB application.

Any thoughts on this approach?



> -----Original Message-----
> From: Peter Donald [mailto:peter@apache.org]
> Sent: Sunday, January 13, 2002 3:36 AM
> To: Avalon Developers List
> Subject: Re: DefaultRoleManager in Cornerstone
> On Sun, 13 Jan 2002 16:08, MCCAY,LARRY (HP-NewJersey,ex2) wrote:
> > Peter,
> >
> > Is there still effort needed in the area of security?
> yep ;)
> > I would be interested in helping here.
> And we'd be interested in seeing you help here ;)
> Theres definetly some space there for you to make something 
> very useful. SOme 
> of the things that we have identified the need for in the past is
> * Identity Manager with pluggable Realms: ie basically list 
> of users and 
> some attributes about them (from generic attributes like 
> email address to 
> domain specific attributes). It would als be nice to be able to have 
> pluggable realms so that we could load users from the "Unix" 
> realm, NT 
> domain, properties files, xml files, database, ldap etc - Of 
> course you don't 
> need to do this all straight away ;)
> * RoleManager: Maps users/identitys to Roles - ie Fred is an 
> administrator, 
> Wilma is a user
> * Authority Manager: ie does role X have permission to do Y
> * Authentication Manager: ie essentially hookup with JAAS in 
> a flexible 
> manner.
> You will notice this has a sort of J2EE flavour - this was largely 
> intentional and theres probably lots more useful information 
> in the J2EE 
> Blueprints.
> I think Paul has looked at this sort of thing more recently. 
> If you are up 
> for having a go at this it may be interesting to integrate 
> this with DB or 
> the James server just to see test it out and all ;)
> -- 
> Cheers,
> Pete
> ----------------------------------------
> Why does everyone always overgeneralize?
> ----------------------------------------
> --
> To unsubscribe, e-mail:   
For additional commands, e-mail: <mailto:avalon-dev-help@jakarta.apache.org>

To unsubscribe, e-mail:   <mailto:avalon-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:avalon-dev-help@jakarta.apache.org>

View raw message