Hi Joni, That sounds pretty interesting, however, I still have some doubts. Let's see: .- Where do you get the user from (the one you use with user.getSubject()). Can these users be specified dynamically through a standard interface? Or do they have to be specified in a container specific way? .- Can the policy file be specified on a "per web application basis" or does it just exist one policy file for the whole system? This way I could specify the security of my applications independendently. And could this information be extracted from a database/URL instead of a system file? Just curious to see how I could use this standard API without losing all the flexibility and dynamicity that I've already accomplished with my own implementation. Regards and thanks for the info, D. Joni Suominen wrote: > > Hi Daniel, > > JAAS is not necessarily tied to the OS user. Actually you can tie it to > the OS user by using proper login modules which can authenticate if a > user is already logged into an OS. However, in a true Java spirit, JAAS > is much more generic. In fact it is just a framework to implement > versatile authentication and authorization schemes. For instance, I > authenticate user's against a relational database (some might use LDAP). > The JAAS provides abstractions to represent user's identity and > permissions. It also provides algortihms to check if configured security > policy implies certain permission. > > Some sample code: > > PagePermission pagePermission = new > PagePermission("admin"); > PermissionCollection pc = > Policy.getPolicy().getPermissions(user.getSubject(), null); > > if (pc.implies(pagePermission)) { > // authorization succeeded... > } > else { > // authorization failed, the current user don't have a permission to > view a page on this domain. > } > > Then on policy file I might have: > > grant Principal org.shiftctrl.framework.security.SCGroupPrincipal > "admin" { > permission > org.shiftctrl.framework.security.permissions.PagePermission "admin"; > }; > > This way it is easy to implement multiuser Java applications where > accesses are controlled on per-user or per-group level. JAAS is also > integrated to the JDK 1.4, like the new logging API you mentioned. > > -- > Joni > [EMAIL PROTECTED] > <snipped...>