On Oct 24, 2008, at 4:40 PM, Davanum Srinivas wrote:
David,
2 cents, how would one secure Geronimo in an enterprise scenario (say
LDAP servers) would help the admin guys i think.
That would be using the ldap login module? I could use that as the
example of swapping credential validation. Maybe I'm being too
ambitious.... I thought that was covered pretty well in the docs.
thanks
david jencks
-- dims
On Fri, Oct 24, 2008 at 7:07 PM, David Jencks
<[EMAIL PROTECTED]> wrote:
Geronimo Security, now and coming soon
Security can be divided into negotiation for credentials, credential
validation, and authorization.
First we'll look at setting up and swapping credential validation in
geronimio, a simple process everyone has to do to secure an
application.
Then we'll look at the JACC authorization framework where the
security
constraints in the javaee deployment descriptors and annotations are
translated into java permissions and used, together with a
principal-role
mapping, to authorize requests at runtime. If time allows we'll
look at
swapping JACC implementations. We'll look at extending the JACC
concepts to
other authorization decisions such as in portal frameworks.
Finally we'll look at the upcoming JASPI support that allows
pluggable
negotiation for credentials and see how it can be used to plug openid
authentication into a web app to replace basic or form based
authentication.
------------
I haven't written this yet so having lots of time to work on it
would be
great and any suggestions for improvement would be appreciated.
thanks
david jencks
On Oct 23, 2008, at 9:46 AM, William A. Rowe, Jr. wrote:
Hello Experts,
the AC/US planning team has a 1hr gap in the program, of the
"Security"
topic track 1 on Thursday 6 November.
http://us.apachecon.com/c/acus2008/schedule/2008/11/06
Please get back to me ASAP if you have (or would like to create) a
session
that hits one or more of the bullets below;
* security related
* ideally of some interest to admins, perhaps of interest to devs
* ideally related to some aspect of securing systems or apps with
consideration of client vulnerabilities
I'd appreciate any suggestions by Sat a.m., so whomever offers
to pick this up a solid week+ to prepare. Certainly by Mon a.m.
please? Remember all the usual speaker benefits apply, including
registration, and some flight and lodging costs.
Bill
--
Davanum Srinivas :: http://davanum.wordpress.com
