On 11/5/07, David Jencks <[EMAIL PROTECTED]> wrote: > I've worked a bit on integrating Roller and Jetspeed2 into Geronimo > and one thing that quickly becomes clear is that the authorization > security requirements of these "dynamic content" applications are > almost completely unrelated to the javaee security specifications. > One small possible overlap is that the JACC spec supplies the > possibility of pluggable policies for authorization evaluation. > > I wondered if people would be interested in getting together to > discuss how app servers such as geronimo and security products such > as TripleSec could support these non-javaee security requirements and > how much commonality there might be across different types of > application. I'll be at ApacheCon all week and would be happy to > talk to everyone individually or in an informal meeting. > > Some of the things I've been wondering about are: > > - permission definition > - user administration: how are users added and removed or have their > permissions changed. > - resource administration: how are resources such as blogs, portal > pages, or portlets added or removed or have their user access changed > - specification of "default policy" for new users and new resources: > e.g. when a new user signs up what can they do?
I'm interested in chatting about this at ApacheCon. The situation gets even messier with social networking data, where each user can things like field visibility based on friends, close friends, those in my network, etc. I think there are some very interesting challenges at the intersection of social software and "enterprise" identity and I wonder if Java EE roles/policy can be extended in that direction. - Dave
