Im totally with you on this one and im trying to work out exactly where the problem is. Is it JBoss specific or is it a limitation in the J2EE specification.
Now JAAS is great total PAM based methodology allows any form of credential and authentication credential type.... three phase... mutual.... interactive.... one time token. The problem seems to be fitting the J2EE authorisation model onto it. limitations in having to specify a single principal, litst of roles as a policy model where JAAS defines a much better Principal and credentials model. Then the limitations with the SubjectSecurityManager only allowing two parameters ("username" "password"), not to mention the reauthentication of credentials (how does this work with one time token creds??????) so it seems to me you can either ditch the policy model (web-constraints and ejb constraints) in J2EE if you want a more complex security model and roll your own authorisation OR be limited to the available security model if you want the policy model. OR rewrite the whole thing........... is it just JBoss? or J2EE? is it time to think dotnot? View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3840987#3840987 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3840987 ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user