Hi Scott
>> Hi Scott
>>
>> The relationship in JAAS is Subject--->(many)Principals. Principal ==
ROLE
>> and LOGIN. 1 Login has exactly 1 Role.
?>
>There is nothing in JAAS that requires a particular Principal being
associated to a
>role and a login. The act of LoginContext.login() can introduce a login
Principal that
>is based on an X509 cert. There is no role, its just an identity token. It
could also
>only associate Principals that correspond to roles associated with the
login credentials.
>I don't see anything in the JAAS docs the require the distiction your
making.
I quoted the relevant parts.
>> In EJB-land 1 Login can have zero to many Roles. *JAAS doesn't define a
way
>> you can handle this*. It doesn't preclude it, but it does not define how
you
>> do it. However there is nothing to prevent what I have proposed and Oleg
is
>> taking up, namely separating Principal out, so it represents an EJB-login
>> and contains its roles. Effectively giving us Principal == Login and
>> Role(s).
>>
>> Principal-->(many)Roles.
>>
>JAAS doesn't define anything but allows anything. I don't see anyway in
which JAAS is
>different the the EJB notion of users. In EJB the existence of users is
only implied by
>virtue of the fact you can ascribe security roles to beans.
Not true. I've already pointed you to the right place to look so I won't
repeat myself.
> The actual login/authentication of
>a user is purely a server implementation detail.
Yep, but then I have never said otherwise so not really sure what point you
are making.
> JAAS is simply providing an explicit
>api for the authentication of a user in addition to providing an api for
accessing the roles
>and security creditials that have been assigned to the user as a side
effect of the authentication
>process.
You're just repeating the point I have made. I take it you agree with me now
?
Edward
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
