Mailing-List: contact cocoon-dev-help@xml.apache.org; run by ezmlm
Precedence: bulk
Reply-To: cocoon-dev@xml.apache.org
Message-ID: <3B322F72.7C1E5427@apache.org>
Date: Thu, 21 Jun 2001 13:31:30 -0400
From: Berin Loritsch <bloritsch@apache.org>
MIME-Version: 1.0
To: "cocoon-dev@xml.apache.org" <cocoon-dev@xml.apache.org>
Subject: [RT] Cocoon, JAAS, and Sitemap
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
 micalg=sha1; boundary="------------msD811AA251A23FF5A10A06EF6"

--------------msD811AA251A23FF5A10A06EF6
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Ladies and Gentlemen,

I have been giving alot of thought to possible security models and
access authorization architectures lately.  Since Java has released
Java Authentication and Authorization Services (JAAS), I realized
that this was a standard way I could have all my companies apps
authenticate and authorize users in a standard manner.  I have never
really liked the Servlet API's methods of authentication of end
users because you could not design your own ways of testing the
authentication.  If you did, you could not take your application
to another Servlet Container.

As what I am about to outline will affect some semantics of the
Sitemap, this is something that would have to be affected in version
2.1 or later of Cocoon.  JAAS has some very interesting ways of
creating your own LoginModules that set up authorizations, etc.
When there is need of feedback from the LoginModule, it uses a
CallbackHandler.  The CallbackHandler will give a standard list
of questions and ways of responding to the questions.  This is
straightforward.

At first you might think that you could create a Generator that
was a CallbackHandler and an Action that populated the Callback
array with the answers.  While this is part of the solution, the
answer is more complicated.  JAAS opperates by obtaining a LoginContext
for a login session initialized with the appropriate callbackhandler
and other information.  You will then call the login() method
on that LoginContext.  After the login is fully authenticated,
control returns to the login() method.  This is pretty circuitous.

The full solution requires that the login() method be called from
the Sitemap.  We would need to create a <map:handle-login/> entry
in the pipeline with the transformer and serializer set up.  We would
also need to specify whether a client must be logged in for a specific
pipeline.  Lastly, we need to have a JAAS executePipelineAction
that would be executed as a specific Subject.  Lastly we would need
some Role based Permissions.

I think the higher sophistication of JAAS and the fact that solutions
are portable and customizable for the system is a benefit we can't
ignore.  For Cocoon to be taken seriously in corporate settings where
secure information is prevalent, we need to take advantage of this
security model.

Please give me some feedback.
--------------msD811AA251A23FF5A10A06EF6
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIHuQYJKoZIhvcNAQcCoIIHqjCCB6YCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
BbMwggKCMIIB66ADAgECAgMFCRYwDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlpBMRUw
EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhh
d3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwg
RnJlZW1haWwgUlNBIDIwMDAuOC4zMDAeFw0wMTA2MTUxNjUzMjVaFw0wMjA2MTUxNjUzMjVa
MEYxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxIzAhBgkqhkiG9w0BCQEWFGJs
b3JpdHNjaEBhcGFjaGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDwxH1hC75i
euMrpOenvB+9dwW+gfWfdRajqlrXgYmMSDuzgWAEMW1dPs2ID7M59eZ259We5f1k7wpLOh3+
kHVTQJpqXB8PP27RKby8sA+pZdxmpTBV7LOlmFoYKNxE/Wzgu65+07TFMTreDsjDFu5R/sli
zRxfaIGQBBA/52i/lwIDAQABozEwLzAfBgNVHREEGDAWgRRibG9yaXRzY2hAYXBhY2hlLm9y
ZzAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBALe83A1HaeohQl3/fjj6Rwrb3yee
wQuf0ponSJSaPsuzHbcQ+qBm6JbchGdjtetdv9O+aD1hcfmBC4n0TCmU3RfZq95OQoxgQBAm
+dcuJGZIe8VvegsP/F6wZjnvquFJsCC00uGZsUjssu0WMj7x68QbqM7xXMq3yTtj/8DZtm0y
MIIDKTCCApKgAwIBAgIBDDANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNV
BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUg
Q29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEk
MCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxw
ZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTAyMDgyOTIz
NTk1OVowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcT
CUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2
aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUqbXA8
+tyu9+50bzC8M5B/+TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC9tew
kd4c6avgGAOofENCUFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEwwKQYD
VR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQIMAYB
Af8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBAHMbbyZli/8VNEtZYortRL5J
x+gNu4+5DWomKmKEH7iHY3QcbbfPGlORS+HN5jjZ7VD0Omw0kqzmkpxuwSMBwgmn70uuct0G
Z/VQby5YuLYLwVBXtewc1+8XttWIm7eiiBrtOVs5fTT8tpYYJU1q9J3Fw5EvqZa4BTxS/N3p
YgNIMYIBzjCCAcoCAQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh
cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0
aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAu
OC4zMAIDBQkWMAkGBSsOAwIaBQCggYowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq
hkiG9w0BCQUxDxcNMDEwNjIxMTczMTMxWjAjBgkqhkiG9w0BCQQxFgQUkS4JieJAWEDrB+KM
FMciOUVKj0EwKwYJKoZIhvcNAQkPMR4wHDAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAw
DQYJKoZIhvcNAQEBBQAEgYACXRLmwnZrw933CkiK9xAGa4lt19eGS3rQcBbzGJ2l4L/pSeXE
4PGDPNFWA8I9m75MbhibjJ+GntTRc1MV3Iptr94NVJgoZuJ87LxJBdTCsMC4jApWnv3kKXR7
lDwFsITjR/00I5eHnjr7lTqsY+pbykDKxEeM0lixXI5uwSTnXQ==
--------------msD811AA251A23FF5A10A06EF6--