Im totally with you on this one and im trying to work out exactly where the problem
is. Is it JBoss specific or is it a limitation in the J2EE specification.
Now JAAS is great total PAM based methodology allows any form of credential and
authentication credential type.... three phase... mutual.... interactive.... one time
token.
The problem seems to be fitting the J2EE authorisation model onto it. limitations in
having to specify a single principal, litst of roles as a policy model where JAAS
defines a much better Principal and credentials model.
Then the limitations with the SubjectSecurityManager only allowing two parameters
("username" "password"), not to mention the reauthentication of credentials (how does
this work with one time token creds??????)
so it seems to me you can either ditch the policy model (web-constraints and ejb
constraints) in J2EE if you want a more complex security model and roll your own
authorisation
OR
be limited to the available security model if you want the policy model.
OR
rewrite the whole thing...........
is it just JBoss? or J2EE?
is it time to think dotnot?
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3840987#3840987
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3840987
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
