I've worked a bit on integrating Roller and Jetspeed2 into Geronimo
and one thing that quickly becomes clear is that the authorization
security requirements of these "dynamic content" applications are
almost completely unrelated to the javaee security specifications.
One small possible overlap is that the JACC spec supplies the
possibility of pluggable policies for authorization evaluation.
I wondered if people would be interested in getting together to
discuss how app servers such as geronimo and security products such
as TripleSec could support these non-javaee security requirements and
how much commonality there might be across different types of
application. I'll be at ApacheCon all week and would be happy to
talk to everyone individually or in an informal meeting.
Some of the things I've been wondering about are:
- permission definition
- user administration: how are users added and removed or have their
permissions changed.
- resource administration: how are resources such as blogs, portal
pages, or portlets added or removed or have their user access changed
- specification of "default policy" for new users and new resources:
e.g. when a new user signs up what can they do?
thanks!
david jencks