All, Attached is quite a busy collaboration diagram describing the interaction of the potential players in the AAA implementation.
A couple things that need to be determined - the client facing api for:
1. Authentication
a. JAAS client api
b. proprietary api to abstract authentication mechanism -
including JAAS
2. Authorization
a. J2SE authorization api's
b. proprietary api to abstract implementation
I am inclined to try and provide an abstraction through proprietary api.
With that said, I think that we need to assume the use of the JAAS subject
as a vehicle for identity and attribute principals and credentials. The
subject would follow the user through the request/session through the use of
Subject.doAs() and/or doAsPrivileged() - this basically associates the
subject with the current thread of execution.
Using this mechanism, we have a standard vehicle to use as a security
context and a standard mechanism to acquire it from the thread context -
Subject.getSubject().
We are not obligated to use JAAS login modules or JAAS policy as the only
mechanisms for authentication and authorization.
Any thoughts?
thanks,
--Larry
AAA.gif
Description: GIF image
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
