geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Cabrera <>
Subject RE: J2EE security
Date Tue, 12 Aug 2003 15:03:07 GMT

> -----Original Message-----
> From: Nash Foster [] 
> > I'm not clear on what you mean by the statement "rolling your own" 
> > since there is no reference implementation of JAAS per se, 
> in that it 
> > is included in JDK1.4.  Do you mean the examples?
> Sun calls their JAAS (included in the JDK) a reference implementation,
> [from:]:
>         Sun's 1.0 code release of JAAS is a non-commercial reference
>         implementation. However, the release may be used 
> royalty-free as
>         part of commercial applications. See the software license for
>         more information.

If you look at the top of the page, you'll see that JAAS has been integrated
into the Java 2 SDK, Standard Edition, v 1.4.
> > > So, I'd suggest building
> > > one solid and secure mechanism into Geronimo and then spend 
> > > effort integrating other Enterprise authentication services 
> > > so he can play nice with others. Definitely a differentiator 
> > > in the Enterprise.
> > 
> > It strikes me that these can easily be included by adding more 
> > LoginModules.
> We're on the same page. My suggestion was to build 1 good 
> LoginModule, SRP perhaps, that doesn't require anything 
> external to Geronimo. Then, focus on integrating external products.

Yes, we are close.  About the 1 good LoginModule, in your opinion, what is
it that is inadequate about the JAAS LoginModule paradigm that requires us
to write one good LoginModule and then, in turn, integrate external products
when IMHO the JAAS LoginModule paradigm is just fine?  Can you provide a
scenario where there would be a problem?  Could you be referring to the
principal mapping that's required at higher levels?


OpenEJB Developer


View raw message