On Tue, May 12, 2009 at 10:45 PM, Raoul Duke <[email protected]> wrote: >> I have just realized that we probably need to become more security >> concerned than we have been so far. >> >> Anyone has any thoughts on this topic? > > I don't understand your situation entirely, apologies if I'm way off > base, and I suspect you want to go with standard Java approaches to > managing security. But... I'll throw out $0.02 that most security is > based on access control lists, and those are 9 times out of 10 > fundamentally flawed. A different and often mostly better approach > that might be worth thinking about is to use 'object capabilities' for > authorization.
Ok, sorry for not being absolutely clear. I am not talking about Authentication, Authorization and Audit. We will slowly build a Library for that, of which some already exist. I am talking about Java Codebase Security. What code is trusted to do what. And a lot of application server deployments run with it enabled, and it is then a matter of getting Qi4j through security inspection, so that deployment people feel that "Qi4j is Secure", so we can get the needed AllPermissions for *our* jars codebase. Cheers -- Niclas Hedhman, Software Developer http://www.qi4j.org - New Energy for Java I live here; http://tinyurl.com/2qq9er I work here; http://tinyurl.com/2ymelc I relax here; http://tinyurl.com/2cgsug _______________________________________________ qi4j-dev mailing list [email protected] http://lists.ops4j.org/mailman/listinfo/qi4j-dev
