Return-Path: 
 <tomcat-dev-return-24072-apmail-jakarta-tomcat-dev-archive=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org
Received: (qmail 31565 invoked by uid 500); 6 Jul 2001 06:45:26 -0000
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:tomcat-dev-help@jakarta.apache.org>
list-unsubscribe: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
list-post: <mailto:tomcat-dev@jakarta.apache.org>
Reply-To: tomcat-dev@jakarta.apache.org
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Received: (qmail 31556 invoked from network); 6 Jul 2001 06:45:23 -0000
Message-ID: <3B455E8E.AE3F1C40@teamware.com>
Date: Fri, 06 Jul 2001 09:45:34 +0300
From: Antony Bowesman <adb@teamware.com>
X-Mailer: Mozilla 4.73 [en] (WinNT; U)
X-Accept-Language: en,fi
MIME-Version: 1.0
To: tomcat-dev@jakarta.apache.org
Subject: Re: First day - RE: PROPOSAL:  Tomcat docs
References: <NEBBKCJBPLLPNFMKLPAJMEODDHAA.rslifka@home.com>
 <00eb01c104fe$32e24b20$3512a8c0@wspunkytse> <3B43EFA7.72B2AD53@teamware.com>
 <3B4453E5.C4EBC7BC@voyager.apg.more.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spam-Rating: h31.sny.collab.net 1.6.2 0/1000/N

Glenn Nielsen wrote:
> 
> Antony Bowesman wrote:
> >
> > > 8. Security
> >
> > How about
> > 8.1 Concepts - Explanation of J2EE and Java 2 security models
> > 8.2 Authentication with Realms
> > 8.2.1 Simple realm
> > 8.2.2 JDBC Realm
> > 8.2.3 Custom realms
> > 8.3 Authorization
> > 8.3.1 J2EE role based
> >
> > In particular, it should try to explain in simpler terms than the API
> > spec how J2EE roles are designed to work, covering the mapping from
> > developer roles to deployment roles.
> >
> > 8.3.2 Java 2 security policy
> >
> 
> I would break the above into two sections.
> 
> Access Control (for all the Realm based access control)
> 
> and
> 
> Server Security (for configuring and using Tomcat with the Java 
> SecurityManager)
> 
> These really are two completely different topics.  And use of
> Realms isn't "Security", it is "Access Control".

Not sure I'd agree with your removal of Java Security Manager from a
chapter about access control.  The first line of the JavaTM 2 Platform
Security Introduced: document at

http://java.sun.com/j2se/1.3/docs/guide/security/index.html

says

* Policy-based, easily-configurable, fine-grained access control....

Access control is one element of securing a server, as is
authentication, encryption, non repudiation, SSL etc.

Access control is performed by Java 2 security manager as well as J2EE
and they compliment each other.  JAAS (JDK1.3 extension) which extends
the Java 2 model and which is now included in JDK1.4 extends the Java 2
security model to provide principal based access control on top of code
source.  So access control is firmly part of Java security.

There should be additional sections on 'server security' that includes
configuring the server for use with SSL.

Antony