On 20 Jul 00, at 23:41, danch wrote:
> roman seidl wrote:
> >
> > Hello Rickard,
> >
> > Wednesday, July 12, 2000, 10:41:45 AM, you wrote:
> >
> > >> How does JAAS map to the Object level - Isn�t is intended to be used
> > >> mainly rather with files than with objects? How would a JAAS API and a
> > >> object function call match?
> > R�> JAAS allows us to authenticate the caller. This information can then be
> > R�> used to implement the security as defined in the EJB spec.
> > So i could use JAAS to set a rule for a user depending on the obejct
> > the rule is applied to?
> > Or is it for authentification only?
> My thought is that there really ought to be separate authentication and
> authorization. There could be JAAS implementations of either, but I
> really think that JAAS is much stronger on the Authentication side than
> the Authorization side. (based on a quick reading of spec and API doco,
> not actual in depth knowledge (yet))
Hi,
The authorization in JAAS refers to Java security. Authorization for
EJBs is done by a completely different mechanism.
The reason to use JAAS in the container is to take advantage of
pluggable authentication mechanisms that have been/will be
developed. This makes it easier for our container to support
mappings of security roles to principals on different security
environments. Note that this is an implementation detail, not visible
to the component developer.
In addition to the reason given above, the reason to use JAAS on
the client is to eliminate a stand-alone client's dependency on a
proprietary authentication mechanism. Note that this reason does
not apply to clients operating in a J2EE client container, because
the container will provide the authentication interface.
-Dan
P.S. I'm going to be gone for a week and a half. When I get back, I
was going to turn my attention to prototyping a security
implementation if no one else has done it in the interim. If anyone
who's intererested in the subject dredged up my proposal to this
list for an implementation strategy and commented on it, I'd
appreciate it. Of course, if I get back and someone has finished it
using a completely different approach, I'd be the last to complain. :-
) (I'd work on CMP for EJB 2.0 instead.)
>
> >
> > I�d really need a security system that allows granting rights on an
> > instance level.
> Not as unusual as certain specs might lead you to believe. One problem
> here is that the EJB spec defines security over a bean's method, not
> including the primary key (or any other way to indicate the bean
> instance you care about).
> You could do something like define rolls based on the PK of the bean you
> need (ShipCaption_LandLubber, where 'LandLubber' is the PK value of an
> instance of ShipBean), then have sessions call isUserInRoll. This is
> really rather cheesy and non-scalable, however.
>
> > If there is any ideas on how to implemt it id really
> > like to get to know them.
> Me too, since I'm listed as working on it 8^})
> I'm just getting to the end of a sprint at work and should be able to
> start thinking about it.
>
> >
> > R�> Not out just yet. Coming to a mailing list near you really soon though
> > R�> :-)
> >
> > Maybe a draft should be submitted - i want information :)
> >
> > mfg
> > roman
> > --
> > -------------------------------------------------------------------
> > Roman Seidl Design & Developement
> > -------------------------------------------------------------------
> > Public Voice Lab Operngasse 24, A-1040 Vienna
> > Tel.: +43-1-585 22 80/23 Fax: +43-1-585 22 80/99
> > e-mail: [EMAIL PROTECTED] web: www.pvl.at
> > -------------------------------------------------------------------
>
