[ http://issues.apache.org/jira/browse/GERONIMO-2617?page=comments#action_12455143 ] David Jencks commented on GERONIMO-2617: ----------------------------------------
Can you look into the facilities for a JACC provider to include the request in its determination whether to grant a permission? I think that may be a spec-compliant way of getting the same result without any non-spec additions. > Custom Authorization > -------------------- > > Key: GERONIMO-2617 > URL: http://issues.apache.org/jira/browse/GERONIMO-2617 > Project: Geronimo > Issue Type: New Feature > Security Level: public(Regular issues) > Reporter: Diego L Espineira > > Apache Geronimo to enable the developer to implement custom and complex > security models, such as role hierarchies and permission inheritance between > roles. This can be accomplished by adding an optional parameter to the > security realm options specifying some class to intercept and handle the > authorization to EJBs, WebServices and web content (JSP, html etc) by > applying custom and application specific authorization based on information > stored in somewhere else (like a DBMS). > This enables an application to allow its users to change the EJB methods and > content permissions through the application itself. The authentication and > authorization settings is widely wrongly assigned to deployment time, while > it must be assigned much of it to run time. > An example of this is the JBoss SX approach to this subject. An application > security realm is configured to use an "authorization manager", which is a > class that implements org.jboss.security.SecurityProxy. And it handles the > requests to all the resources like EJBs. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
