You can develop your own implementations of the SecurityService. For example a JDBCSecurityService or an OJBSecurityService could be usefull for some people. -- Humberto
> -----Original Message----- > From: Rodrigo Reyes [mailto:[EMAIL PROTECTED]] > Sent: Monday, February 17, 2003 8:56 AM > To: Turbine Developers List > Subject: Re: Is there some new security service being developed? > > > Stephen > Ok, I know JAAS was not specificly designed with webapps > in mind. Still, > I think that the fact that it is a low-level security > framework makes it > specially secure. I have been thinking that every action and > screen could > implement the PrivilegedAction Interface so the default > implementation of > the run method is the one which, on authorization succed, executes the > doPerform or doBuildTemplate methods. What do you think? > On the other hand, I have been told that there is a new > security service > being developed, but it will still rely on Torque. Since > Torque is being > decoupled from Turbine, I think relying the security service > on it is not a > very good idea, since there will be some users that would > like to use the > security framework, but wouldn't like to use Torque (and that > is my specific > case). > I am not saying a Torque based security service is not > useful. I am > saying the security framework should be thougth as open as > possible so any > one could implement a new engine under its API (read > interfaces) without > hurting the rest of Turbine. Sorry if this is an old issue > already, but I am > new to the mailing list. Hope this all makes sense :) > > Rodrigo > > > ----- Original Message ----- > From: "Stephen Haberman" <[EMAIL PROTECTED]> > To: "Turbine Developers List" <[EMAIL PROTECTED]> > Sent: Saturday, February 15, 2003 3:37 PM > Subject: Re: Is there some new security service being developed? > > > > On Sat, Feb 15, 2003 at 11:56:34AM -0500, Rodrigo Reyes wrote: > > > Torque. Since we don't want to use Torque just because of the > > > security service, we have been thinking about creating our own > > > Security Service basing it on JAAS. > > [snip] > > > But even if JASF gets into Turbine, is it JAAS based? Thanx... > > > > This JAAS issue came up when JASF was being discussed, as you have > > noted, but after browsing the Sun website, unless you can convince > > me otherwise, I really doubt that JAAS is the type of thing you're > > looking for. Specifically, there is a quote of what JAAS can do: > > > > "Describes a utility program that authenticates a user using JAAS > > and executes any application as that user." > > > > > http://java.sun.com/j2se/1.4/docs/guide/security/jgss/tutorial s/index.html > > JAAS, to me, seems like a low-level security system specifically > built into the Java runtime to allow things like above, e.g. > authenticating the name/password a user gives against, say, a > Kerberos database, and then letting them execute the Java code under > a special set of permissions. > > Is this really what you want to do? Perhaps it is, but I'm thinking > most users of Turbine just want to authenticate from an > HTTP/SOAP/XML-RPC request, not via a Kerberos, or similarly complex, > authentication server, and then authorize access to certain web > pages and user data, not control what classes/files/etc. the user > can load within the Java VM. > > Though perhaps I'm missing a part of JAAS? Do you have a link to an > example of what you want JAAS to do within the context of Turbine? > > Thanks, > Stephen > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
