portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kurt Schrader <kschr...@engin.umich.edu>
Subject Re: Informal Meeting @ Collab
Date Tue, 08 Jan 2002 04:00:56 GMT

On Monday, January 7, 2002, at 08:21 PM, Santiago Gala wrote:

> I am much more concerned about the second point up in the quoted 
> message. I will post there my feelings, but my basic feelings is that 
> authentication and basic security belong to the servlet container, or, 
> better, to the VM. We should plug and extend the standard java 2 
> interfaces and classes for this.
>
> In this area, trying to re-invent the wheel is a mess, because testing 
> and quality assurance will be very great. With JAAS bundled in jdk1.4 
> (or available as a extension in jdk1.2+), we already have 
> authentication against PAM, LDAP and NT security, and also a fine 
> grained and tested security model that is already there in Tomcat-4.
>
> Inside a portlet container we cannot trust, for instance, that a 
> portlet will not call data.getUser.getPassword() and send the password 
> of a user by e-mail. So, we should use java.security.Principal as our 
> base for security, and have it related with a UserProfile class, where 
> we store whatever info is needed for Turbine, Jetspeed and other apps.

Some of us discussed this in IRC today and essentially came to the same 
conclusion.
Using JAAS seems to be our best bet for the future of Turbine.  That 
would allow us to work on any servlet container, not just Tomcat.  I 
also get the feeling that no one really wants to deal with fixing or 
rewriting what we have now.  ;)

- Kurt


--
To unsubscribe, e-mail:   <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>


Mime
View raw message