> On Tue, May 11, 2004 at 10:44:30AM +0200, hbaxmann wrote: > > > > Obviously this is an integration point that will require > > > code changes in Geronimo, Jetty, and OpenEJB. We wouldn't be > > > tied to each other specifically, but to the JAAS and JACC > > > specs as required by J2ee 1.4 > > > > > > > > Anyone have any feedback on what it will take to get the > > > following working? > > > > > > > > Just an idea: > > > > 0. Take the security issue seriously with "class HelloWorld > could not be > > loaded because of security exception" kind of art using the > already existing > > java.security and java.policy thingy in conjuntion with a signed > > org.apache.geronimo.system.main.Daemon geronimo-system-*.jar. > > > > We definitely have these thoughts on our radar and plan on being total > security nuts. We'd even like to sign things like our own packaged > components which contain all the classes and configs of something > Geronimo loads into its container as an actually part the system. >
Mhhhm, there are well known J2EE implementations which are able no more to introduce a AOP-proved security because the whole thing has to be "refactored": rewritten. Are there any standardization efforts in inventing or using a already existent _idenfication_mechanism_ for class _instances_ ? Otherwise IMHO one will end up with a 'turn-one-key-open-all-doors' AOP crap. bax
