Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 46014 invoked from network); 12 Nov 2009 10:27:59 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 12 Nov 2009 10:27:59 -0000 Received: (qmail 42622 invoked by uid 500); 12 Nov 2009 10:27:58 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 42554 invoked by uid 500); 12 Nov 2009 10:27:58 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 42546 invoked by uid 99); 12 Nov 2009 10:27:58 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Nov 2009 10:27:58 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of xhhsld@gmail.com designates 74.125.92.24 as permitted sender) Received: from [74.125.92.24] (HELO qw-out-2122.google.com) (74.125.92.24) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Nov 2009 10:27:50 +0000 Received: by qw-out-2122.google.com with SMTP id 5so356691qwd.25 for ; Thu, 12 Nov 2009 02:27:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=iP89itkCNhhHYPwXXCPH1JH9r2Q4WDLBL+5vVofzDpU=; b=YoA6IDS/kRl5wkRjcmXvCaE6CA62O//xg7/s4XKb3u4RTkMUKbn4yi4PW6mbjOOEab RwJVQTAmfV4pRnxS4pW7tRvDbu/stmVIAJ3AR3XeW3DSTvrfsi936GomLxxbcgsOiYMH VNbXuNT+O4rhQc4yq+/KjhwG+I8A0EV39gkAg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=NkCCwIyDHfd7cceueEHnSTnwkjmjajaVnmXaYL9l1zDAnqxUOnwZ7bKTg1ZQmsx9pg bN0M4DGBGqlDATuw4M0JkZ5pe6K+Czv+cMEC6iOPiaRn3skQpbeSwvsdyqvKyQyJL9jc k0q9papd2R/l/IVPy3/Xia5ufPA30JrQxXNvo= MIME-Version: 1.0 Received: by 10.229.13.213 with SMTP id d21mr366109qca.45.1258021649326; Thu, 12 Nov 2009 02:27:29 -0800 (PST) Date: Thu, 12 Nov 2009 18:27:29 +0800 Message-ID: <45f744e40911120227p3d2170f5tba3bee42aebbdd3c@mail.gmail.com> Subject: User Admin Service in Geronimo 3.0 OSGI-Integration From: Ivan To: dev@geronimo.apache.org Content-Type: multipart/alternative; boundary=00151759031e87223f047829fdfe X-Virus-Checked: Checked by ClamAV on apache.org --00151759031e87223f047829fdfe Content-Type: text/plain; charset=ISO-8859-1 Hi, In the OSGI world, it uses User Admin service for authentication and authorization. I am thinking what we could do between User Admin Service and Geronimo 3.0. One side, is Geronimo possible to provide any User Admin service implementation ? From my view, it is not. It seems that it is better for those authentication provider to provide those implementations, such as LDAP server, etc, not Geronimo. IIRC, Geronimo only ships a property file based solution, and it is just a "doll" used for admin console. Anther side is that, is Geronimo possible to take advantage of User Admin service ? Comparing with JAAS/JACC used in Geronimo now, User Admin is a role-based security model. In my feeling, it is more general, a. It does not specify what and how to do in Java EE environment. While in the Java world, specail permission objects are defined in JACC, like WebResourcePermission for web application, EJBMethodPermssion for EJB application, etc. b. The authorization way is also somewhat different. In user admin service, for each action, a group contains allowed users/groups is defined, in the urntime, it will check whether the current context implies the group object. So currently, for authentication, we might define a loginmodule based on User Admin service; For authorization, no clear idea is seen by me :-( Not sure whether there are other sides that we could use it in Geronimo 3.0, thanks for any comment ! -- Ivan --00151759031e87223f047829fdfe Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi,
=A0=A0=A0 In the OSGI world, it uses User Admin service for authenti= cation and authorization. I am thinking what we could do between User Admin= Service and Geronimo 3.0.
=A0=A0=A0 One side, is Geronimo possible to p= rovide any User Admin service implementation ? From my view, it is not. It = seems that it is better for those authentication provider to provide those = implementations, such as LDAP server, etc, not Geronimo. IIRC, Geronimo onl= y ships a property file based solution, and it is just a "doll" u= sed for admin console.
=A0=A0=A0 Anther side is that, is Geronimo possible to take advantage of Us= er Admin service ? Comparing with JAAS/JACC used in Geronimo now, User Admi= n is a role-based security model. In my feeling, it is more general,
= =A0=A0=A0 a. It does not specify what and how to do in Java EE environment.= While in the Java world, specail permission objects are defined in JACC, l= ike WebResourcePermission for web application, EJBMethodPermssion for EJB a= pplication, etc.
=A0=A0=A0 b. The authorization way is also somewhat different.=A0 In user a= dmin service, for each action, a group contains allowed users/groups is def= ined, in the urntime, it will check whether the current context implies the= group object.
=A0=A0=A0 So currently, for authentication, we might define a loginmodule b= ased on User Admin service; For authorization, no clear idea is seen by me = :-(
=A0=A0 Not sure whether there are other sides that we could use it i= n Geronimo 3.0, thanks for any comment !

--
Ivan
--00151759031e87223f047829fdfe--