I thought I'd chime in here as I have an interest in both security as well as configuration generally. We're using Spring (www.springframework.org) and Acegi Security (http://acegisecurity.sourceforge.net). We'd like to deploy Jackrabbit into an IoC container so it more easily integrates with the rest of a Spring-based application, and use Acegi Security's ACL and authentication capabilities. I did some refactoring of current code and easily implemented pluggable authentication using an interface as shown (BTW I haven't read the pluggable authentication thread):
public interface AuthenticationToken {
public void login(String applicationName, Credentials credentials) throws LoginException;
public void logout();
public String getUserId() throws RepositoryException;
public boolean isAnonymous();
public boolean isSystem();
}
This sort of interface allows people to still use JAAS, but also Acegi Security, home-grown solutions (which are very common) etc.
IMO, the concept of JAAS is abstract enough to handle this situation and it should be possible to implement a custom LoginModule that will add Principal information to the Subject being authenticated in such a way that authorization calls made on the Subject will actually be forwarded to Acegi.
Kind regards Dominique Pfister
