User Admin Service in Geronimo 3.0 OSGI-Integration

[Ivan <xh...@gmail.com>]

Hi,
    In the OSGI world, it uses User Admin service for authentication and
authorization. I am thinking what we could do between User Admin Service and
Geronimo 3.0.
    One side, is Geronimo possible to provide any User Admin service
implementation ? From my view, it is not. It seems that it is better for
those authentication provider to provide those implementations, such as LDAP
server, etc, not Geronimo. IIRC, Geronimo only ships a property file based
solution, and it is just a "doll" used for admin console.
    Anther side is that, is Geronimo possible to take advantage of User
Admin service ? Comparing with JAAS/JACC used in Geronimo now, User Admin is
a role-based security model. In my feeling, it is more general,
    a. It does not specify what and how to do in Java EE environment. While
in the Java world, specail permission objects are defined in JACC, like
WebResourcePermission for web application, EJBMethodPermssion for EJB
application, etc.
    b. The authorization way is also somewhat different.  In user admin
service, for each action, a group contains allowed users/groups is defined,
in the urntime, it will check whether the current context implies the group
object.
    So currently, for authentication, we might define a loginmodule based on
User Admin service; For authorization, no clear idea is seen by me :-(
   Not sure whether there are other sides that we could use it in Geronimo
3.0, thanks for any comment !

-- 
Ivan