On Wed, 09 Mar 2005 11:13:15 +1100, Ben Alex <[EMAIL PROTECTED]> wrote: > 1. How does Jackrabbit justify JAAS as the sole security framework, when > both the JSR 170 specification and implementation reality reflect otherwise?
first of all, jackrabbit is not promoting in any way that JAAS should be used as the sole security *framework*. i am talking of using the JAAS *api*, namely LoginModule, Subject & Principal instead of defining yet-another-authentication-abstraction-api. it's IMO trivial to implement LoginModule. by using JAAS api's internally we can keep jackrabbit's implementation simple and abstract. > 2. At a conceptual OO level, what is wrong with a security abstraction > interface that allows people to use the numerous non-JAAS frameworks > frequently deployed in the real world? those people would have to write an adapter that implements the AuthenticationToken interface. i really don't see why this should be less complicated than writing an adapter that implements LoginModule. is LoginModule not abstract enough for you? > 3. How is it enhancing Jackrabbit adoption by alienating all the users > of home-grown and non-JAAS security frameworks? why would it alienate those users? again, i am not talking of security *frameworks*, i am strictly talking of the api that your adapter would have to implement. cheers stefan > > Best regards > Ben >
