You might want to ask on the Security WG of the Enhydra app server project
(http://security.enhydra.org/). (That's where "Wayne" (me) and "Craig" (the
Enhydra security architect) hang out :) with Christophe Ney and Peter
McClain and ...)
Enhydra Enterprise is using JAAS-like security (except using Craig's Enhydra
Auth & Auth Lib "EAAL" in place of "JAAS" so we can run on JDK 1.2, as
required for EJB 1.1/J2EE 1.2)
Our message traffic stopped because we're deep in trying to get a commercial
product released... the results are that we have a security system with
competent LoginModules, with Subject propagation to the EJB container in
Enhydra App Server (across the RMI/JRMP layer), and use that Subject to get
the user name for programmatic security support. But, we don't yet use the
security framework to enforce EJB Roles (declarative security). We deferred
further work until after the commercial product shipped (RSN! honest :)
Wayne Stidolph [EMAIL PROTECTED]
> -----Original Message-----
> From: Shout Graphics --
>
> Fran�ois,
>
> Thanks for the reply. Basically, I know that EJB and JAAS do not fit 100%
> together, but I know that Java is moving very strongly toward JAAS as the
> way of security. I wanted to try and make my SecurityService for
> JOnAS to be
> compliant. It is going to be tough, as Java did not think about how to
> integrate EJB with JAAS (and the way JOnAS is set up now it isn't easy).
>
> As to your question:
> "JAAS authorization mechanism may be used by the EJB server to
> implement
> method access control ? Is it what you intend to do ? Why ?"
>
> The reason is that if I use JAAS to authenticate, then I have a
> Subject to
> work with and possible multiple Principals. So I need JOnAS
> internally to be
> able to work with the Subject as well.
>
> The only place where this really causes a problem is in running
> code. JAAS
> has it run through the Subject with methods such as .doAs() where
> you pass
> it the action to do, the subject, and some other info (not
> important right
> now). This is not too far off from JOnAS's "preinvoke()" idea.
> However, the
> problem is that this is a final class, so I cannot change how
> those methods
> work. It has a few "obnoxious" requirements:
> 1. The class it runs MUST have a "run()" method where it begins
> a. This shouldn't be too bad, I can just instantiate a class with
> the method I need to run, etc. and then have that class do all
> the work in the run() method
> 2. It uses AccessControlContext and AccessController for permissions in
> running in the doAS() method. These are also final classes.
>
> Really, I think my only problems for integrating JAAS and JOnAS are:
> 1. the doAS(0 etc. methods. (i.e. how to invoke a bean)
> 2. Getting the permissions (currently i only see examples of doing this
> with a file, and that's a pain because the "policy" file is of a
> diff. format than a deployment descriptor and would require a
> deployer to do both.
>
> As to whether anyone has tried to integrate JAAS and EJB, I saw a couple
> messages a while back on Enhydra's site that they were trying to
> do it, and
> then their messages just stopped. It was two guys named "Wayne"
> and "Craig".
> Do you know how I could contact them about their results?
>
> Thanks again, I look forward to hearing your input.
>
> Robert
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
----
To unsubscribe, send email to [EMAIL PROTECTED] and
include in the body of the message "unsubscribe jonas-users".
For general help, send email to [EMAIL PROTECTED] and
include in the body of the message "help".
