geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: AC/US /security/ related talk need (2 weeks from yesterday)
Date Sat, 25 Oct 2008 00:41:04 GMT

On Oct 24, 2008, at 4:40 PM, Davanum Srinivas wrote:

> David,
>
> 2 cents, how would one secure Geronimo in an enterprise scenario (say
> LDAP servers) would help the admin guys i think.

That would be using the ldap login module?  I could use that as the  
example of swapping credential validation.  Maybe I'm being too  
ambitious.... I thought that was covered pretty well in the docs.

thanks
david jencks

>
>
> -- dims
>
> On Fri, Oct 24, 2008 at 7:07 PM, David Jencks  
> <david_jencks@yahoo.com> wrote:
>> Geronimo Security, now and coming soon
>>
>> Security can be divided into negotiation for credentials, credential
>> validation, and authorization.
>>
>> First we'll look at setting up and swapping credential validation in
>> geronimio, a simple process everyone has to do to secure an  
>> application.
>>
>> Then we'll look at the JACC authorization framework where the  
>> security
>> constraints in the javaee deployment descriptors and annotations are
>> translated into java permissions and used, together with a  
>> principal-role
>> mapping, to authorize requests at runtime.  If time allows we'll  
>> look at
>> swapping JACC implementations.  We'll look at extending the JACC  
>> concepts to
>> other authorization decisions such as in portal frameworks.
>>
>> Finally we'll look at the upcoming JASPI support that allows  
>> pluggable
>> negotiation for credentials and see how it can be used to plug openid
>> authentication into a web app to replace basic or form based  
>> authentication.
>>
>>
>> ------------
>> I haven't written this yet so having lots of time to work on it  
>> would be
>> great and any suggestions for improvement would be appreciated.
>>
>> thanks
>> david jencks
>>
>> On Oct 23, 2008, at 9:46 AM, William A. Rowe, Jr. wrote:
>>
>>> Hello Experts,
>>>
>>> the AC/US planning team has a 1hr gap in the program, of the  
>>> "Security"
>>> topic track 1 on Thursday 6 November.
>>>
>>> http://us.apachecon.com/c/acus2008/schedule/2008/11/06
>>>
>>> Please get back to me ASAP if you have (or would like to create) a  
>>> session
>>> that hits one or more of the bullets below;
>>>
>>> * security related
>>>
>>> * ideally of some interest to admins, perhaps of interest to devs
>>>
>>> * ideally related to some aspect of securing systems or apps with
>>> consideration of client vulnerabilities
>>>
>>> I'd appreciate any suggestions by Sat a.m., so whomever offers
>>> to pick this up a solid week+ to prepare.  Certainly by Mon a.m.
>>> please?  Remember all the usual speaker benefits apply, including
>>> registration, and some flight and lodging costs.
>>>
>>> Bill
>>>
>>
>>
>
>
>
> -- 
> Davanum Srinivas :: http://davanum.wordpress.com


Mime
View raw message