Santiago Gala
Fri, 23 Feb 2001 09:05:44 -0800
Jon Stevens wrote: > on 2/22/01 4:17 PM, "Santiago Gala" <[EMAIL PROTECTED]> wrote: > > >> All of the java.security.* framework is interface based. > > > So is Turbine's. > > I really don't see a need to use java.security.* when Turbine has a *MUCH* > more complete implementation of a security framework than just > java.security. > > -1 on java.security.* > The need to use java.security framework comes from: - being able to reuse security support very well studied and engineered (java.policy, doPrivileged(), checkPermission() ) inside the VM and get fine grained support for cehcking permissions or specifying privileged actions. The java code is already there. It is a matter of using it. Now that java2 is our target, the effort is more than justified. - being able to integrate in J2EE framework servlet containers simply (EJB, JDBC, ...) - being able to integrate in a given corporate environment. java.security.Principal is the standard way to deliver privileges. I think TurbineUser should implement Principal. - surviving in a securityManaged servlet container. As an example of this, the admin portlet in Jetspeed will throw a SecurityException if standard security is on (ReadPropertyPermission on). It the turbine framework is based on these objects, it will get cached in the proper level and treated as a security exception. If not, it will be processed as a standard error. Also, the thread pool will have problems with calls trying to set thread priority or stopping threads. I'm not saying that you drop turbine security. I agree it is cood (nice typo=cool+good :). What I'm saying is that turbine should use the interfaces and methods there, for instance as a way to handle users ( java.security.Principal user.getPrincipal() ) or as a way to check for permissions (doPrivileged() and checkPermission() ). Also that we use the standard exceptions for security based exceptions, so that try-catch is simpler to program and we can survive when a SecurityManager is in effect in the servlet container. Don't you think that ignoring java security will bring problems in the future? -- -------------------------------------------------------------- To subscribe: [EMAIL PROTECTED] To unsubscribe: [EMAIL PROTECTED] Search: <http://www.mail-archive.com/jetspeed@list.working-dogs.com/> List Help?: [EMAIL PROTECTED]