Jean-Francois Arcand wrote: > > > Glenn Nielsen wrote: > >> The JVM itself anticipated a need for alternative application specific >> Policy >> implementations and has the hooks for doing it. >> >> Are you aware of anyone working on a new standard? Is there a JSR? > > > > [FYI] > JSR 115 > (http://jcp.org/aboutJava/communityprocess/first/jsr115/index.html) Java > Authorization Contract for Container is in that direction (for > expressing Web Permissions and for moving away from the *.policy file > format). The spec doesn't say anything about the way policy file are > represented (open the door to new format). The main idea is to have a > pluggable Policy Provider. The Policy Provider could represent > permission the way it want, and have to publish it using the > WebPermission classes defined by the spec. I already made some change in > Tomcat 5 to allow the pluggability of a Provider.... > > If I understand properly (sorry I wasn't in the group 4 months ago), you > are trying to do something similar for all permission type (all > permissions described in the policy file). Castor is used to unmarshall > your XML policy statement to Permission objects. Is that correct? I > would be interested to see the code. >
Thanks for refering me to this JSR. I quickly skimmed the spec, I will have to read it in greater depth. The primary focus of the JSR seems to be role based policies built on top of JAAS. And that support for this is required in a J2EE 1.4 container but optional for a J2EE 1.3 container. So it could be back ported into Tomcat 4. From quickly skimming the spec it looks like it may address the core feature which spurred my development of an XML based policy. The ability for a web appliation to define its own security permissions. But restricted to those permissions which the container allows to be set (i.e. a sandbox). The JSR is a great deal more complex than what I did but may meet the needs I was trying to address. Yes, Castor is used in the Tomcat build to generate the source for the java classes which implement the XML Schema. Then at runtime those generated classes use the API in the castor xml jar. A tarball with patches and new files for Tomcat 4 is available at: http://duke.more.net/~glenn/tomcat4-xmlpolicy.tar.gz if you would like to review this. Regards, Glenn -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
