On Mon, 21 Jan 2002 15:11, MCCAY,LARRY (HP-NewJersey,ex2) wrote: > Attached is quite a busy collaboration diagram describing the interaction > of the potential players in the AAA implementation.
looks good. One question though - does AuthorizationManager use the standard Java2 permissions model? > A couple things that need to be determined - the client facing api for: > 1. Authentication > a. JAAS client api > b. proprietary api to abstract authentication mechanism - > including JAAS > > 2. Authorization > a. J2SE authorization api's > b. proprietary api to abstract implementation > > I am inclined to try and provide an abstraction through proprietary api. > > With that said, I think that we need to assume the use of the JAAS subject > as a vehicle for identity and attribute principals and credentials. The > subject would follow the user through the request/session through the use > of Subject.doAs() and/or doAsPrivileged() - this basically associates the > subject with the current thread of execution. > > Using this mechanism, we have a standard vehicle to use as a security > context and a standard mechanism to acquire it from the thread context - > Subject.getSubject(). > > We are not obligated to use JAAS login modules or JAAS policy as the only > mechanisms for authentication and authorization. > > Any thoughts? Works for me. I am not real familiar with JAAS but if it is useful to provide an abstraction over the top then I am all for that ;) -- Cheers, Pete The big mistake that men make is that when they turn thirteen or fourteen and all of a sudden they've reached puberty, they believe that they like women. Actually, you're just horny. It doesn't mean you like women any more at twenty-one than you did at ten. --Jules Feiffer (cartoonist) -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
