Sorry, I saw too late that we might continue the discussion on the list,
Best regards,
Michael Hartle,
Hartle & Klug GbR
--- Begin Message ---
Hi Ivelin,
Michael,
After reading some more on JAAS, JBoss and using my knowledge with WebLogic,
I came to the conclusion that security management should be left out of
Cocoon.
It belongs to the J2EE containers.
regarding the management of security (declaring security domains and the
like), I agree. Regarding the use of authentication with JAAS, I think
Cocoon would be simply another JAAS client, using an application server
to authenticate against.
I find the security constrain syntax in web.xml files simple and clear
enough. It is perfectly applicable for Cocoon application, since Cocoon is
obviously a Java webapp.
Security rules are URL based which fits nice with Cocoon's URL based content
management.
I do not yet think leaving security constrains to the servlet container
is sufficient. Handling security in a different place than the sitemap
makes it possible to get the security contrains "out of sync" with the
URL space the sitemap defines. As there are other matchers that are not
URL-based, solving security demands in these cases requires additional
work that is dependent on the servlet container (as far as I
understand). What is your opinion on these aspects ?
I may sound destructive and controversial, but as of now I believe that the
Authentication module should not be a core Cocoon module and it should not
appear as such in the documentation.
As there are other solutions such as the security contrains in web.xml
available, having authentication components available as optional
sitemap components would serve those who would like to use JAAS in that
manner.
Maybe a separate block. It brought quite a bit of confusion to me while I
was trying to understand its unique value for Cocoon applications. All the
applications that I have written for Cocoon require integration with the
J2EE containers' security context and do not need the Auth (aka sunRise)
component.
I haven't used the Auth/sunRise im my current project as I am not
satisfied with them for various reasons, including the aspect of
centralizing security management in an application server serving the
logic, not in a presentation-oriented servlet container. Maybe I
misunderstood your last sentence ("integration with the J2EE containers'
security context"), but in our case, servlet containers and application
servers are not necessarily running in the same VM or hosted on the same
machine, therefore we try to use JNDI or something in that direction.
Regards,
Ivelin
Best regards,
Michael Hartle,
Hartle & Klug GbR
--- End Message ---
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
