geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "hbaxmann" <hol...@bitwind.org>
Subject AW: Security stuff
Date Tue, 11 May 2004 11:21:16 GMT
> On Tue, May 11, 2004 at 10:44:30AM +0200, hbaxmann wrote:
> > > > Obviously this is an integration point that will require 
> > > code changes in Geronimo, Jetty, and OpenEJB.  We wouldn't be 
> > > tied to each other specifically, but to the JAAS and JACC 
> > > specs as required by J2ee 1.4
> > > > 
> > > > Anyone have any feedback on what it will take to get the 
> > > following working?
> > > > 
> > 
> > Just an idea:
> > 
> > 0. Take the security issue seriously with "class HelloWorld 
> could not be
> > loaded because of security exception" kind of art using the 
> already existing
> > java.security and java.policy thingy in conjuntion with a signed
> > org.apache.geronimo.system.main.Daemon geronimo-system-*.jar.
> > 
> 
> We definitely have these thoughts on our radar and plan on being total
> security nuts.  We'd even like to sign things like our own packaged
> components which contain all the classes and configs of something
> Geronimo loads into its container as an actually part the system.
> 

Mhhhm, there are well known J2EE implementations which are able no more to
introduce a AOP-proved security because the whole thing has to be
"refactored": rewritten. Are there any standardization efforts in inventing
or using a already existent _idenfication_mechanism_ for class _instances_ ?

Otherwise IMHO one will end up with a 'turn-one-key-open-all-doors' AOP
crap.

bax


Mime
View raw message