Hi David
David Nuescheler wrote:
I was referring to the fact some OSS security frameworks take a fairly sophisticated approach to authentication management, and dropping them into a LoginModule isn't consistent with their design and architecture.4. Often alternative OSS security frameworks and home-grown approaches cannot easily be made integrate into a JAAS LoginModulewith respect to authentication in jackrabbit i am not creative enough to come up with a usecase
that cannot easily be wrapped into a JAAS Login Module. Do you have any examples in mind?
authorization is certainly a more complicated issue.
For example, Acegi Security uses a ThreadLocal to store authentication details. It offers a range of ways to populate that ThreadLocal, such as form, basic, digest, anonymous and remember-me authentication. It authenticates the contents of the ThreadLocal at various times, such as when an authentication request is first presented and then at each time a secure object is called. Integration with HttpSession to store the ThreadLocal contents between HTTP requests is also provided, along with run-as replacement and automatic propagation of the ThreadLocal contents from one JVM to another. The entire framework is interface-driven and wired from a Spring IoC container, so it actively encourages customisation and extension (something I'd love to see in Jackrabbit).
This type of authentication architecture can be "hammered" to work within a JAAS LoginModule, with the sacrifice of some functionality, loss of authentication customisation support, introduction of extra container-specific configuration (which equals loss of container portability), and provided that the container collects the credentials over the appropriate authentication mechanism (basic, digest, form etc) and presents it to the LoginModule. These trade-offs are actually why, despite Acegi Security offering this type of integration hook, it is neither recommended nor do many people rush to use it. Indeed the only users I've encountered who actually use this integration are EJB users who are using EJB declarative security. The rest of the community seems to value the 100% container portability, and richer customisable services available by not using JAAS.
Despite this, the comparative merit of using Security Framework A over Security Framework B is not really that important. What matters is that not all security frameworks in use today are 100% compatible with LoginModules. Also, Jackrabbit only needs a _minimal_ interface to integrate with _any_ underlaying security system. I can't see any harm in offering such an interface, as it is both OO-friendly and helps develop a stronger Jackrabbit community by encouraging integration into existing applications and developer preferences.
Best regards Ben
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
