geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Simon" <si...@godik.com>
Subject pluggable jacc support
Date Mon, 23 Jan 2006 06:03:28 GMT
Pluggable jacc: Support multiple security providers; support custom
permissions not specified by the spec;

Multiple security providers: I think that it is possible to support special
case of 'delegating' jacc providers (ie providers that make some decisions
themselves and delegate to jre-wide provider otherwise). One and only one
provider will be responsible for installing jre-wide policy. The same
provider would play dispatching role for get-policy-configuration calls.
Geronimo provider can be the one. One can imagine jacc providers that differ
in policy persistence strategy.

Custom permissions: jacc providers that support custom permissions must have
some form of policy language and policy persistence strategy. Providers that
support jacc policy evaluation strategy will use std policy-configuration
api to configure policy. Providers that support custom policy evaluation
strategies will have their own policy configuration api.

I agree with David J that deployment should be schema-driven; Several
delegating security-builders can be configured. An application should use
just --one-- security namespace; so we can avoid conflicts between different
providers. As per David J, each security-builder will use it's own
application-configuration-manager gbean to build it's policy configuration.

Another item is role to principal mapping for core Geronimo jacc
implementation; Core Geronimo jacc provider should support external mapping;
It would be nice to have an app that will map roles to principals externally
for different security realms.

Simon


Mime
View raw message