geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Blevins <david.blev...@visi.com>
Subject Re: Security stuff
Date Tue, 11 May 2004 10:48:59 GMT
On Tue, May 11, 2004 at 10:00:21AM +0200, Jan Bartel wrote:
> >1. Authentication: JAAS Login from Servlet container on any Form or Basic 
> >auth request.
> This is probably not going to be too much work, as Jetty already does 
> JAAS login for the JettyPlus product.

Great, this is a big win. If we can get this plugged in asap, we can
get started on leveraging the subject in OpenEJB's security code--in
other words, our own JACC nonsense :) It also means Alan will finally
be forced to put finishing touches on his RealmProvider thingies for
M2 users.

> >2. Authorization: JACC permissions checks by the servlet container.
> This is going to require quite a bit of work deep in the internals of 
> Jetty to replace Jetty's tempest-tested security code, and therefore 
> some thorough analysis of what should be done, the best way to do it and 
> the implications for Jetty.
> 
> Not that it makes any difference whatsoever to the need to implement it 
> for Geronimo, but for my 2c, I think as a spec, JACC is a waste of 
> space: too detailed and addresses the wrong problem.

>From the container's perspective, you're simply required to insantiate
a rediculous number of permission instances and continously call
hasPermission, which is a typical java security check.  The provider
does all the other work using the data from the web.xml feed into it
during the deploy process.  But you are right, there is no reason to
use it unless you are integrating with someting else.

You're probably not going to want to make this an out-of-the-box Jetty
thing at all and may want to just provide some hook for pluging it in,
hopefully in a way that is the least intrussive.  As you mention, the
existing Jetty securtity code is solid and that's worth a lot to
users.

Might I suggest a technique I used on OpenEJB to move forward on
several integration things that are really experimental in nature.
Create a cvs branch of the latest greatest Jetty and start the
experimentation there.  That way, integrating with something as young
as Geronimo doesn't hold up Jetty releases and affect Jetty users.  In
all likely hood, I think it will take at least 2-3 months to really
get it right (i.e. not changing everyday).  The best approach for
supporting all this in a regular Jetty release probably won't be
visible till things have settled.

Usually things like this go through awkward growing phases before they
are ready for a prime-time branch.

-David

Mime
View raw message