> -----Original Message----- > From: Jan Bartel [mailto:[EMAIL PROTECTED] > > David, > > Just some passing comments. > > > So we have a bunch of security infrastructure there that keeps growing, > but none of it is used anywhere. Is it possible we could get some of this > hooked in? > > > > Obviously this is an integration point that will require code changes in > Geronimo, Jetty, and OpenEJB. We wouldn't be tied to each other > specifically, but to the JAAS and JACC specs as required by J2ee 1.4 > > > > Anyone have any feedback on what it will take to get the following > working? > > > > 1. Authentication: JAAS Login from Servlet container on any Form or > Basic auth request. > This is probably not going to be too much work, as Jetty already does > JAAS login for the JettyPlus product. > > > 2. Authorization: JACC permissions checks by the servlet container. > This is going to require quite a bit of work deep in the internals of > Jetty to replace Jetty's tempest-tested security code, and therefore > some thorough analysis of what should be done, the best way to do it and > the implications for Jetty.
I've been reading the Jetty code, a real pleasure BTW, it seems that the security handlers, authenticators, and realms are tightly integrated with the server and context. A looser coupling would allow users to use the same Jetty security paradigm that is currently in place, while allowing one to snap in JACC if one so desired. I've been working on this and will have some preliminary patches in a few days. I am eager to hear your opinion. > Not that it makes any difference whatsoever to the need to implement it > for Geronimo, but for my 2c, I think as a spec, JACC is a waste of > space: too detailed and addresses the wrong problem. I am curious to know what J2EE security problem is out there that you think still needs to be addressed. Just interested. IIUC, JACC allows third party enterprise security packages to be snapped into J2EE servers. There are already third party vendors out there. Regards, Alan
