Unfortunately I'm not going to be going to ApacheCon's in the US but to the EU ones
from now on.  However I would love to either get a summary or partake in the discussion
if someone can ping me from IRC or via skype.  This is something I think will benefit us
all.  Thanks David for driving these talks.


On 11/5/07, David Jencks <david_jencks@yahoo.com > wrote:
I've worked a bit on integrating Roller and Jetspeed2 into Geronimo
and one thing that quickly becomes clear is that the authorization
security requirements of these "dynamic content" applications are
almost completely unrelated to the javaee security specifications.
One small possible overlap is that the JACC spec supplies the
possibility of pluggable policies for authorization evaluation.

I wondered if people would be interested in getting together to
discuss how app servers such as geronimo and security products such
as TripleSec could support these non-javaee security requirements and
how much commonality there might be across different types of
application.  I'll be at ApacheCon all week and would be happy to
talk to everyone individually or in an informal meeting.

Some of the things I've been wondering about are:

- permission definition
- user administration: how are users added and removed or have their
permissions changed.
- resource administration: how are resources such as blogs, portal
pages, or portlets added or removed or have their user access changed
- specification of "default policy" for new users and new resources:
e.g. when a new user signs up what can they do?

david jencks