On Saturday 03 April 2004 19:14, Nader Aeinehchi wrote: > Not only the authorization model may be different, but also each > component may want to use a different authenticator. Based on that > experience, I got the idea that a cascading security model should be > provided, in which each component has its own security model that cannot > violate the security constraints imposed by its surrounding container.
What I have in mind is that the Authenticator is pluggable through the Context, so that the component doesn't know/care about how it is done, and will just request the service from Merlin. You would then be able to provide authenticators to each component independently (or collectively). > Regarding "assign grants to 'components' instead of codebases", I would > think you can solve it by a special purpose classloader. When a component > is loaded by the classloader, simply assign the component its own > codoesource, that is different from its physical codesource. A similar > approach is taken in Sun's J2EE 1.3 reference application server. Thanks for the tip. This could be a good way forward. I (nor Stephen) won't be working on it in the very near future though, since we have some other pieces to clean up first, but I think it is next on the agenda after the Excalibur/Fortress/Cornerstone effort. Niclas -- +---------//-------------------+ | http://www.bali.ac | | http://niclas.hedhman.org | +------//----------------------+ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
