geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "hbaxmann" <>
Subject AW: Security stuff
Date Tue, 11 May 2004 08:44:30 GMT
> David,
> Just some passing comments.
> > So we have a bunch of security infrastructure there that 
> keeps growing, but none of it is used anywhere.  Is it 
> possible we could get some of this hooked in?
> > 
> > Obviously this is an integration point that will require 
> code changes in Geronimo, Jetty, and OpenEJB.  We wouldn't be 
> tied to each other specifically, but to the JAAS and JACC 
> specs as required by J2ee 1.4
> > 
> > Anyone have any feedback on what it will take to get the 
> following working?
> > 

Just an idea:

0. Take the security issue seriously with "class HelloWorld could not be
loaded because of security exception" kind of art using the already existing and java.policy thingy in conjuntion with a signed
org.apache.geronimo.system.main.Daemon geronimo-system-*.jar.


> > 1. Authentication: JAAS Login from Servlet container on any 
> Form or Basic auth request.
> This is probably not going to be too much work, as Jetty already does 
> JAAS login for the JettyPlus product.
> > 2. Authorization: JACC permissions checks by the servlet container.
> This is going to require quite a bit of work deep in the internals of 
> Jetty to replace Jetty's tempest-tested security code, and therefore 
> some thorough analysis of what should be done, the best way 
> to do it and 
> the implications for Jetty.
> Not that it makes any difference whatsoever to the need to 
> implement it 
> for Geronimo, but for my 2c, I think as a spec, JACC is a waste of 
> space: too detailed and addresses the wrong problem.
> cheers,
> Jan

View raw message