On Aug 19, 2009, at 2:15 PM, Deepak Kaimal wrote:
David,
Thank you for your response and I hope you enjoyed your vacation, I
am sure it was well earned.
My aim was to create a Policy Enforcement Point (PEP) for J2 with
the OpenSSO server acting as the PDP and PAP. As we progressed, we
realized that the authorization components are distributed within
the J2 codebase and because of the different kinds of authorization
modes supported, it is not easy to pull just that component out.
We have decided that letting J2 manage authorization internally is
probably more robust and performance optimized since there is no
easy and manageable way to plugin a new authorization system.
Overall, I am now of the belief that authentication can be
centralized, but authorization is best handled natively.
OK... yes, we have the Java Security Policy based checks as well as
Security Constraints. I still like the idea of having a central
security accessor service as the dependency to all other services
requiring high level authorization checks. I am considering creating a
JIRA issue to complete this work, although Im quite busy right now
coming, especially after returning from vacation :) and not sure when
I can get to it
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
