I have two usecases for a webapp: a) The web.xml defines zero security constraints, implying the webapp is totally insecure. b) The web.xml secures a portion of the webapp. There is a subset of the webapp that represents unsecured resources.
In case a), there is little we can do. No identity(authentication) is established and jacc delegation for authorization is meaningless. In case b), I am guessing that a jacc delegation for both the secure and unsecured resources should be possible (from a perspective of current tomcat/jboss implementation) to delegate to a jacc provider (via some config asking for delegation for unsecured resources). A boundary case is: c) Identity of the user is established by some other means - sso, federation etc. If the webapp is totally insecure (zero security constraints), should we delegate to jacc (now that the identity of the caller has been established and the jacc provider may need to authorize, irrespective of whether the web.xml defines security constraints)??? Is my understanding right? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3940465#3940465 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3940465 ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ JBoss-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/jboss-user
