Antony Bowesman wrote:
>
> Glenn Nielsen wrote:
> >
> > Antony Bowesman wrote:
> > >
> > > > 8. Security
> > >
> > > How about
> > > 8.1 Concepts - Explanation of J2EE and Java 2 security models
> > > 8.2 Authentication with Realms
> > > 8.2.1 Simple realm
> > > 8.2.2 JDBC Realm
> > > 8.2.3 Custom realms
> > > 8.3 Authorization
> > > 8.3.1 J2EE role based
> > >
> > > In particular, it should try to explain in simpler terms than the API
> > > spec how J2EE roles are designed to work, covering the mapping from
> > > developer roles to deployment roles.
> > >
> > > 8.3.2 Java 2 security policy
> > >
> >
> > I would break the above into two sections.
> >
> > Access Control (for all the Realm based access control)
> >
> > and
> >
> > Server Security (for configuring and using Tomcat with the Java
> > SecurityManager)
> >
> > These really are two completely different topics. And use of
> > Realms isn't "Security", it is "Access Control".
>
> Not sure I'd agree with your removal of Java Security Manager from a
> chapter about access control. The first line of the JavaTM 2 Platform
> Security Introduced: document at
>
> http://java.sun.com/j2se/1.3/docs/guide/security/index.html
>
> says
>
> * Policy-based, easily-configurable, fine-grained access control....
>
> Access control is one element of securing a server, as is
> authentication, encryption, non repudiation, SSL etc.
>
> Access control is performed by Java 2 security manager as well as J2EE
> and they compliment each other. JAAS (JDK1.3 extension) which extends
> the Java 2 model and which is now included in JDK1.4 extends the Java 2
> security model to provide principal based access control on top of code
> source. So access control is firmly part of Java security.
>
> There should be additional sections on 'server security' that includes
> configuring the server for use with SSL.
>
I have seen the general term 'security' used instead of a more descriptive
term like SSL Encryption, SecurityManager, or Access Control. My point
is that these are very different things, and the documentation should
be constructed so that users use those terms rather than the general
term "Security".
Security
Overview - types of security
J2EE Security Model
User Access Control (Realms & roles)
Java SecurityManager
SSL Data Encryption
Yes, JAAS can be used to control access for executing code based on what role
the user is in. At this point there is no support in Tomcat for JAAS.
There are two ways I see JAAS being used within Tomcat sometime in the future.
1. Policy based JAAS access control to Tomcat's manager or admin servlet.
2. Some Policy configuration tool for webapps that supports normal Java
SecurityManager configuration and JAAS policy based access control.
Regards,
Glenn
----------------------------------------------------------------------
Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
