----- Original Message -----
From: "Kenworthy, Edward" <[EMAIL PROTECTED]>
To: "'jBoss'" <[EMAIL PROTECTED]>
Sent: Friday, December 15, 2000 12:20 AM
Subject: RE: [jBoss-User] Security
> Hi Scott
>
> The relationship in JAAS is Subject--->(many)Principals. Principal == ROLE
> and LOGIN. 1 Login has exactly 1 Role.
>
There is nothing in JAAS that requires a particular Principal being associated to a
role and a login. The act of LoginContext.login() can introduce a login Principal that
is based on an X509 cert. There is no role, its just an identity token. It could also
only associate Principals that correspond to roles associated with the login
credentials.
I don't see anything in the JAAS docs the require the distiction your making.
> In EJB-land 1 Login can have zero to many Roles. *JAAS doesn't define a way
> you can handle this*. It doesn't preclude it, but it does not define how you
> do it. However there is nothing to prevent what I have proposed and Oleg is
> taking up, namely separating Principal out, so it represents an EJB-login
> and contains its roles. Effectively giving us Principal == Login and
> Role(s).
>
> Principal-->(many)Roles.
>
JAAS doesn't define anything but allows anything. I don't see anyway in which JAAS is
different the the EJB notion of users. In EJB the existence of users is only implied by
virtue of the fact you can ascribe security roles to beans. The actual
login/authentication of
a user is purely a server implementation detail. JAAS is simply providing an explicit
api for the authentication of a user in addition to providing an api for accessing the
roles
and security creditials that have been assigned to the user as a side effect of the
authentication
process.
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
