geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Bartel <j...@mortbay.com>
Subject Re: Security stuff
Date Tue, 11 May 2004 08:00:21 GMT
David,

Just some passing comments.

> So we have a bunch of security infrastructure there that keeps growing, but none of it
is used anywhere.  Is it possible we could get some of this hooked in?
> 
> Obviously this is an integration point that will require code changes in Geronimo, Jetty,
and OpenEJB.  We wouldn't be tied to each other specifically, but to the JAAS and JACC specs
as required by J2ee 1.4
> 
> Anyone have any feedback on what it will take to get the following working?
> 
> 1. Authentication: JAAS Login from Servlet container on any Form or Basic auth request.
This is probably not going to be too much work, as Jetty already does 
JAAS login for the JettyPlus product.

> 2. Authorization: JACC permissions checks by the servlet container.
This is going to require quite a bit of work deep in the internals of 
Jetty to replace Jetty's tempest-tested security code, and therefore 
some thorough analysis of what should be done, the best way to do it and 
the implications for Jetty.

Not that it makes any difference whatsoever to the need to implement it 
for Geronimo, but for my 2c, I think as a spec, JACC is a waste of 
space: too detailed and addresses the wrong problem.

cheers,
Jan




Mime
View raw message