Re: Portlet security

Santiago Gala Fri, 23 Feb 2001 09:05:44 -0800
Jon Stevens wrote:

> on 2/22/01 4:17 PM, "Santiago Gala" <[EMAIL PROTECTED]> wrote:
> 
> 
>> All of the java.security.* framework is interface based.
> 
> 
> So is Turbine's.
> 
> I really don't see a need to use java.security.* when Turbine has a *MUCH*
> more complete implementation of a security framework than just
> java.security.
> 
> -1 on java.security.*
> 

The need to use java.security framework comes from:

- being able to reuse security support very well studied and engineered
(java.policy, doPrivileged(), checkPermission() ) inside the VM and get
fine grained support for cehcking permissions or specifying privileged actions.
The java code is already there. It is a matter of using it. Now that java2 is our 
target,
the effort is more than justified.

- being able to integrate in J2EE framework servlet containers simply (EJB, JDBC, ...)

- being able to integrate in a given corporate environment. java.security.Principal is 
the standard way to deliver privileges. I think TurbineUser should implement Principal.


- surviving in a securityManaged servlet container. As an example of this,
the admin portlet in Jetspeed will throw a SecurityException if standard security
is on (ReadPropertyPermission on). It the turbine framework is based on these objects,
it will get cached in the proper level and treated as a security exception. If not,
it will be processed as a standard error. Also, the thread pool will have problems 
with calls
trying to set thread priority or stopping threads.
I'm not saying that you drop turbine security. I agree it is cood (nice 
typo=cool+good :). What I'm saying is that turbine should use the 
interfaces and methods there, for instance as a way to handle users ( 
java.security.Principal user.getPrincipal() ) or as a way to check for 
permissions (doPrivileged() and checkPermission() ). Also that we use 
the standard exceptions for security based exceptions, so that try-catch 
is simpler to program and we can survive when a SecurityManager is in 
effect in the servlet container.

Don't you think that ignoring java security will bring problems in the 
future?



--
--------------------------------------------------------------
To subscribe:        [EMAIL PROTECTED]
To unsubscribe:      [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/jetspeed@list.working-dogs.com/>
List Help?:          [EMAIL PROTECTED]
Re: Portlet security

Reply via email to
