Kevin, All comments are welcome and yours are very pertinent.
Regards, Alan > -----Original Message----- > From: Kevin Conner [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 28, 2003 5:23 AM > To: '[EMAIL PROTECTED]' > Subject: RE: Apache Geronimo Security > > > I hope you two don't mind me adding something to the > discussion, I hope it is pertinent. > > I have a login module that does something similar to what it > being proposed by Edward, the recursive mapping of the role > principals until no more mapping can be performed. Associated > with each of these roles are properties that are used to fine > tune the security or provide general user properties (the > user principal also has associated properties). > > I was asked to implement this because our clients required a > hierarchical approach to security; they wanted the ability to > specify a role in terms of other roles. > > This has worked very well in our environment and our > customers heavily use this capability, mapping the roles onto > their own organisational structure. > > IMHO the login module is the best place for this mapping, for > performance reasons if no other, and it would be easy to > abstract the recursive nature into a base class. I also > agree, again IMHO, that the login module is the best place > because the JAAS framework delegates this responsibility to > the login module. > > Once again, I hope you don't mind this intrusion. > > Kev > ---------------------------------------------------------------- Visit our Internet site at http://www.reuters.com Get closer to the financial markets with Reuters Messaging - for more information and to register, visit <http://www.reuters.com/messaging> Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of The Reuters Group.
