geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan D. Cabrera" <...@toolazydogs.com>
Subject RE: Security stuff
Date Tue, 11 May 2004 11:54:33 GMT


> -----Original Message-----
> From: Jan Bartel [mailto:janb@mortbay.com]
> 
> David,
> 
> Just some passing comments.
> 
> > So we have a bunch of security infrastructure there that keeps
growing,
> but none of it is used anywhere.  Is it possible we could get some of
this
> hooked in?
> >
> > Obviously this is an integration point that will require code
changes in
> Geronimo, Jetty, and OpenEJB.  We wouldn't be tied to each other
> specifically, but to the JAAS and JACC specs as required by J2ee 1.4
> >
> > Anyone have any feedback on what it will take to get the following
> working?
> >
> > 1. Authentication: JAAS Login from Servlet container on any Form or
> Basic auth request.
> This is probably not going to be too much work, as Jetty already does
> JAAS login for the JettyPlus product.
> 
> > 2. Authorization: JACC permissions checks by the servlet container.
> This is going to require quite a bit of work deep in the internals of
> Jetty to replace Jetty's tempest-tested security code, and therefore
> some thorough analysis of what should be done, the best way to do it
and
> the implications for Jetty.

I've been reading the Jetty code, a real pleasure BTW, it seems that the
security handlers, authenticators, and realms are tightly integrated
with the server and context.  A looser coupling would allow users to use
the same Jetty security paradigm that is currently in place, while
allowing one to snap in JACC if one so desired.

I've been working on this and will have some preliminary patches in a
few days.  I am eager to hear your opinion.

> Not that it makes any difference whatsoever to the need to implement
it
> for Geronimo, but for my 2c, I think as a spec, JACC is a waste of
> space: too detailed and addresses the wrong problem.

I am curious to know what J2EE security problem is out there that you
think still needs to be addressed.  Just interested.

IIUC, JACC allows third party enterprise security packages to be snapped
into J2EE servers.  There are already third party vendors out there.


Regards,
Alan



Mime
View raw message