Craig,

> One of the outgrowths of that realization is another JSR that you
> might want to keep track of (via <http://www.jcp.org>:
> 
>   JSR #115 -- Java(tm) Authorization Service Provider
>               Contract for Containers
> 
> Once this is fleshed out, Tomcat can be modified to support the new
> SPI contracts, and your Realm-equivalent implementation will itself
> be portable to different containers if it conforms.  Until then,
> though, I'm a little gunshy about mucking around with the Realm 
> interface.

Yes, I had seen this, essentially, it looks to standardise what we are
already using, i.e. a JAAS subject wrapped inside the authenticated
container principal and each of the JAAS principals represents a role
(or something else) with associated permissions.  J2EE roles and
application roles are both supported.  This allows us to use principal
based access control.  Also with the configurable rolemapper class we
can effectively delegate as many access control decisions as we like.

> That seems like a reasonable strategy.

Well, it's done now :).  Is there any likelihood of these
interfaces/classes changing.  I've changed Realm, RealmBase and made my
own FormAuthenticator.  Are there any changes planed to these realm
parts?

> > JAAS would of course tie Tomcat to JDK1.3+, is there a minimum for
> > Tomcat 4?
> >
> 
> The current supported minimum is JDK 1.2.2.  And, I thought JAAS
> required 1.4 -- am I mis-remembering?

JAAS 1.0 was introduced as an extension to JDK1.3 but incorporated into
1.4 with some minor changes.

I'm glad to see that JAAS is now adopted as a requirement in J2EE 1.3
spec, although it only mandates version 1.0 of JAAS.

What is the roadmap for Tomcat to confirm to J2EE 1.3, presumably that
means some kind of JAAS support required (why not start now!!)

> I assume you mean my BOF on container-managed security, right? 
> Forwarded under separate cover.

Received. Many thanks.
Antony

Reply via email to