Stephen
Ok, I know JAAS was not specificly designed with webapps in mind. Still,
I think that the fact that it is a low-level security framework makes it
specially secure. I have been thinking that every action and screen could
implement the PrivilegedAction Interface so the default implementation of
the run method is the one which, on authorization succed, executes the
doPerform or doBuildTemplate methods. What do you think?
On the other hand, I have been told that there is a new security service
being developed, but it will still rely on Torque. Since Torque is being
decoupled from Turbine, I think relying the security service on it is not a
very good idea, since there will be some users that would like to use the
security framework, but wouldn't like to use Torque (and that is my specific
case).
I am not saying a Torque based security service is not useful. I am
saying the security framework should be thougth as open as possible so any
one could implement a new engine under its API (read interfaces) without
hurting the rest of Turbine. Sorry if this is an old issue already, but I am
new to the mailing list. Hope this all makes sense :)
Rodrigo
----- Original Message -----
From: "Stephen Haberman" <[EMAIL PROTECTED]>
To: "Turbine Developers List" <[EMAIL PROTECTED]>
Sent: Saturday, February 15, 2003 3:37 PM
Subject: Re: Is there some new security service being developed?
> On Sat, Feb 15, 2003 at 11:56:34AM -0500, Rodrigo Reyes wrote:
> > Torque. Since we don't want to use Torque just because of the
> > security service, we have been thinking about creating our own
> > Security Service basing it on JAAS.
> [snip]
> > But even if JASF gets into Turbine, is it JAAS based? Thanx...
>
> This JAAS issue came up when JASF was being discussed, as you have
> noted, but after browsing the Sun website, unless you can convince
> me otherwise, I really doubt that JAAS is the type of thing you're
> looking for. Specifically, there is a quote of what JAAS can do:
>
> "Describes a utility program that authenticates a user using JAAS
> and executes any application as that user."
>
> http://java.sun.com/j2se/1.4/docs/guide/security/jgss/tutorials/index.html
>
> JAAS, to me, seems like a low-level security system specifically
> built into the Java runtime to allow things like above, e.g.
> authenticating the name/password a user gives against, say, a
> Kerberos database, and then letting them execute the Java code under
> a special set of permissions.
>
> Is this really what you want to do? Perhaps it is, but I'm thinking
> most users of Turbine just want to authenticate from an
> HTTP/SOAP/XML-RPC request, not via a Kerberos, or similarly complex,
> authentication server, and then authorize access to certain web
> pages and user data, not control what classes/files/etc. the user
> can load within the Java VM.
>
> Though perhaps I'm missing a part of JAAS? Do you have a link to an
> example of what you want JAAS to do within the context of Turbine?
>
> Thanks,
> Stephen
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
