David,
Just some passing comments.
This is probably not going to be too much work, as Jetty already does JAAS login for the JettyPlus product.So we have a bunch of security infrastructure there that keeps growing, but none of it is used anywhere. Is it possible we could get some of this hooked in?
Obviously this is an integration point that will require code changes in Geronimo, Jetty, and OpenEJB. We wouldn't be tied to each other specifically, but to the JAAS and JACC specs as required by J2ee 1.4
Anyone have any feedback on what it will take to get the following working?
1. Authentication: JAAS Login from Servlet container on any Form or Basic auth request.
2. Authorization: JACC permissions checks by the servlet container.This is going to require quite a bit of work deep in the internals of Jetty to replace Jetty's tempest-tested security code, and therefore some thorough analysis of what should be done, the best way to do it and the implications for Jetty.
Not that it makes any difference whatsoever to the need to implement it for Geronimo, but for my 2c, I think as a spec, JACC is a waste of space: too detailed and addresses the wrong problem.
cheers, Jan
