Kasper Nielsen wrote: >what about a joint venture with commons/avalon/other apache projects im sure >people have lots of inputs/ideas for a security framework, I see no reason >why it should be coupled to fulcrum. > In fact, I have spent some time grepping Tomcat-4.1 cvs sources for "doAs", "SubjectDomain", ... looking for the security implementation there.
This came because I saw the light tonight ;) in that THE WAY of having a security implementation would be to have tomcat call the servlet service call with a Subject.doAs( currentSubject, requestAction ), (or doAsPrivileged, to also enforce code base permissions) so that declarative security would hold independent of the framework, as long as it is authenticated by the servlet container or a default run-as anonymous user exists in the container. The Servlet Spec specifies the run-as element to do this kind of work, when no authenticated user exists. Earlier (SRV 12.7) it says: A security identity, or principal, must always be provided for use in a call to an enterprise bean. The default mode in calls to enterprise beans from web applications is for the security identity of a web user to be propagated to the EJBTM container. As far as I see it, tomcat should use doAs to enforce this. I wonder what tomcat people thinks about this, so I cc: Craig to see... ;) -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
