geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin Conner <Kevin.Con...@orchard-systems.co.uk>
Subject RE: Apache Geronimo Security
Date Tue, 28 Oct 2003 10:23:23 GMT
I hope you two don't mind me adding something to the discussion, I hope it
is pertinent.

I have a login module that does something similar to what it being proposed
by Edward,
the recursive mapping of the role principals until no more mapping can be
performed.
Associated with each of these roles are properties that are used to fine
tune the
security or provide general user properties (the user principal also has
associated
properties).

I was asked to implement this because our clients required a hierarchical
approach
to security; they wanted the ability to specify a role in terms of other
roles.

This has worked very well in our environment and our customers heavily use
this capability, mapping the roles onto their own organisational structure.

IMHO the login module is the best place for this mapping, for performance
reasons
if no other, and it would be easy to abstract the recursive nature into a
base class.
I also agree, again IMHO, that the login module is the best place because
the JAAS
framework delegates this responsibility to the login module.

Once again, I hope you don't mind this intrusion.

	Kev

Mime
View raw message