Return-Path: 
 <geronimo-dev-return-5288-apmail-incubator-geronimo-dev-archive=incubator.apache.org@incubator.apache.org>
Delivered-To: apmail-incubator-geronimo-dev-archive@www.apache.org
Received: (qmail 98772 invoked from network); 27 Nov 2003 05:08:18 -0000
Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12)
  by minotaur-2.apache.org with SMTP; 27 Nov 2003 05:08:18 -0000
Received: (qmail 25664 invoked by uid 500); 27 Nov 2003 05:07:51 -0000
Delivered-To: apmail-incubator-geronimo-dev-archive@incubator.apache.org
Received: (qmail 25613 invoked by uid 500); 27 Nov 2003 05:07:50 -0000
Mailing-List: contact geronimo-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:geronimo-dev-help@incubator.apache.org>
list-unsubscribe: <mailto:geronimo-dev-unsubscribe@incubator.apache.org>
list-post: <mailto:geronimo-dev@incubator.apache.org>
Reply-To: geronimo-dev@incubator.apache.org
Delivered-To: mailing list geronimo-dev@incubator.apache.org
Received: (qmail 25594 invoked from network); 27 Nov 2003 05:07:50 -0000
Received: from unknown (HELO jetty.mortbay.com) (209.235.192.112)
  by daedalus.apache.org with SMTP; 27 Nov 2003 05:07:50 -0000
Received: (qmail 766 invoked from network); 27 Nov 2003 05:08:00 -0000
Received: from cpe-203-45-77-28.nsw.bigpond.net.au (HELO mortbay.com)
 (janb@203.45.77.28)
  by jetty.mortbay.com with SMTP; 27 Nov 2003 05:08:00 -0000
Message-ID: <3FC5832A.9000000@mortbay.com>
Date: Thu, 27 Nov 2003 15:52:58 +1100
From: Jan Bartel <janb@mortbay.com>
Reply-To: janb@mortbay.com
Organization: Mort Bay Consulting
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
 rv:1.5) Gecko/20031107 Debian/1.5-3
X-Accept-Language: en, en-us
MIME-Version: 1.0
To: geronimo-dev@incubator.apache.org
Subject: [security] Authentication mechanism
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

I'm just taking a look at integrating the web tier security with 
Geronimo security. I've got a couple of questions:

1.  When/who should call setMBeanServer on the
     GeronimoLoginConfiguration? Should I call it
     just before doing a LoginContext login() call?


2.  What code is responsible for configuring the SecurityRealm
     instances? Should they be configurable from the
     security-service.xml file?

3.  I still can't work out where the mapping of the user's roles
     that are retrieved by the SecurityRealm are turned into permissions
     suitable for a HttpRequest.isUserInRole() call impl?

Any pointers on any of these would be welcome.

thanks
Jan