> David, > > Just some passing comments. > > > So we have a bunch of security infrastructure there that > keeps growing, but none of it is used anywhere. Is it > possible we could get some of this hooked in? > > > > Obviously this is an integration point that will require > code changes in Geronimo, Jetty, and OpenEJB. We wouldn't be > tied to each other specifically, but to the JAAS and JACC > specs as required by J2ee 1.4 > > > > Anyone have any feedback on what it will take to get the > following working? > >
Just an idea: 0. Take the security issue seriously with "class HelloWorld could not be loaded because of security exception" kind of art using the already existing java.security and java.policy thingy in conjuntion with a signed org.apache.geronimo.system.main.Daemon geronimo-system-*.jar. bax > > 1. Authentication: JAAS Login from Servlet container on any > Form or Basic auth request. > This is probably not going to be too much work, as Jetty already does > JAAS login for the JettyPlus product. > > > 2. Authorization: JACC permissions checks by the servlet container. > This is going to require quite a bit of work deep in the internals of > Jetty to replace Jetty's tempest-tested security code, and therefore > some thorough analysis of what should be done, the best way > to do it and > the implications for Jetty. > > Not that it makes any difference whatsoever to the need to > implement it > for Geronimo, but for my 2c, I think as a spec, JACC is a waste of > space: too detailed and addresses the wrong problem. > > cheers, > Jan > > >
