AC/US /security/ related talk need (2 weeks from yesterday)

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

Hello Experts,

the AC/US planning team has a 1hr gap in the program, of the "Security"
topic track 1 on Thursday 6 November.

http://us.apachecon.com/c/acus2008/schedule/2008/11/06

Please get back to me ASAP if you have (or would like to create) a session
that hits one or more of the bullets below;

 * security related

 * ideally of some interest to admins, perhaps of interest to devs

 * ideally related to some aspect of securing systems or apps with
   consideration of client vulnerabilities

I'd appreciate any suggestions by Sat a.m., so whomever offers
to pick this up a solid week+ to prepare.  Certainly by Mon a.m.
please?  Remember all the usual speaker benefits apply, including
registration, and some flight and lodging costs.

Bill

Re: AC/US /security/ related talk need (2 weeks from yesterday)

[David Jencks <da...@yahoo.com>]

On Oct 24, 2008, at 4:40 PM, Davanum Srinivas wrote:

> David,
>
> 2 cents, how would one secure Geronimo in an enterprise scenario (say
> LDAP servers) would help the admin guys i think.

That would be using the ldap login module?  I could use that as the  
example of swapping credential validation.  Maybe I'm being too  
ambitious.... I thought that was covered pretty well in the docs.

thanks
david jencks

>
>
> -- dims
>
> On Fri, Oct 24, 2008 at 7:07 PM, David Jencks  
> <da...@yahoo.com> wrote:
>> Geronimo Security, now and coming soon
>>
>> Security can be divided into negotiation for credentials, credential
>> validation, and authorization.
>>
>> First we'll look at setting up and swapping credential validation in
>> geronimio, a simple process everyone has to do to secure an  
>> application.
>>
>> Then we'll look at the JACC authorization framework where the  
>> security
>> constraints in the javaee deployment descriptors and annotations are
>> translated into java permissions and used, together with a  
>> principal-role
>> mapping, to authorize requests at runtime.  If time allows we'll  
>> look at
>> swapping JACC implementations.  We'll look at extending the JACC  
>> concepts to
>> other authorization decisions such as in portal frameworks.
>>
>> Finally we'll look at the upcoming JASPI support that allows  
>> pluggable
>> negotiation for credentials and see how it can be used to plug openid
>> authentication into a web app to replace basic or form based  
>> authentication.
>>
>>
>> ------------
>> I haven't written this yet so having lots of time to work on it  
>> would be
>> great and any suggestions for improvement would be appreciated.
>>
>> thanks
>> david jencks
>>
>> On Oct 23, 2008, at 9:46 AM, William A. Rowe, Jr. wrote:
>>
>>> Hello Experts,
>>>
>>> the AC/US planning team has a 1hr gap in the program, of the  
>>> "Security"
>>> topic track 1 on Thursday 6 November.
>>>
>>> http://us.apachecon.com/c/acus2008/schedule/2008/11/06
>>>
>>> Please get back to me ASAP if you have (or would like to create) a  
>>> session
>>> that hits one or more of the bullets below;
>>>
>>> * security related
>>>
>>> * ideally of some interest to admins, perhaps of interest to devs
>>>
>>> * ideally related to some aspect of securing systems or apps with
>>> consideration of client vulnerabilities
>>>
>>> I'd appreciate any suggestions by Sat a.m., so whomever offers
>>> to pick this up a solid week+ to prepare.  Certainly by Mon a.m.
>>> please?  Remember all the usual speaker benefits apply, including
>>> registration, and some flight and lodging costs.
>>>
>>> Bill
>>>
>>
>>
>
>
>
> -- 
> Davanum Srinivas :: http://davanum.wordpress.com

Re: AC/US /security/ related talk need (2 weeks from yesterday)

[Davanum Srinivas <da...@gmail.com>]

David,

2 cents, how would one secure Geronimo in an enterprise scenario (say
LDAP servers) would help the admin guys i think.

-- dims

On Fri, Oct 24, 2008 at 7:07 PM, David Jencks <da...@yahoo.com> wrote:
> Geronimo Security, now and coming soon
>
> Security can be divided into negotiation for credentials, credential
> validation, and authorization.
>
> First we'll look at setting up and swapping credential validation in
> geronimio, a simple process everyone has to do to secure an application.
>
> Then we'll look at the JACC authorization framework where the security
> constraints in the javaee deployment descriptors and annotations are
> translated into java permissions and used, together with a principal-role
> mapping, to authorize requests at runtime.  If time allows we'll look at
> swapping JACC implementations.  We'll look at extending the JACC concepts to
> other authorization decisions such as in portal frameworks.
>
> Finally we'll look at the upcoming JASPI support that allows pluggable
> negotiation for credentials and see how it can be used to plug openid
> authentication into a web app to replace basic or form based authentication.
>
>
> ------------
> I haven't written this yet so having lots of time to work on it would be
> great and any suggestions for improvement would be appreciated.
>
> thanks
> david jencks
>
> On Oct 23, 2008, at 9:46 AM, William A. Rowe, Jr. wrote:
>
>> Hello Experts,
>>
>> the AC/US planning team has a 1hr gap in the program, of the "Security"
>> topic track 1 on Thursday 6 November.
>>
>> http://us.apachecon.com/c/acus2008/schedule/2008/11/06
>>
>> Please get back to me ASAP if you have (or would like to create) a session
>> that hits one or more of the bullets below;
>>
>> * security related
>>
>> * ideally of some interest to admins, perhaps of interest to devs
>>
>> * ideally related to some aspect of securing systems or apps with
>>  consideration of client vulnerabilities
>>
>> I'd appreciate any suggestions by Sat a.m., so whomever offers
>> to pick this up a solid week+ to prepare.  Certainly by Mon a.m.
>> please?  Remember all the usual speaker benefits apply, including
>> registration, and some flight and lodging costs.
>>
>> Bill
>>
>
>



-- 
Davanum Srinivas :: http://davanum.wordpress.com

Re: AC/US /security/ related talk need (2 weeks from yesterday)

[David Jencks <da...@yahoo.com>]

Geronimo Security, now and coming soon

Security can be divided into negotiation for credentials, credential  
validation, and authorization.

First we'll look at setting up and swapping credential validation in  
geronimio, a simple process everyone has to do to secure an application.

Then we'll look at the JACC authorization framework where the security  
constraints in the javaee deployment descriptors and annotations are  
translated into java permissions and used, together with a principal- 
role mapping, to authorize requests at runtime.  If time allows we'll  
look at swapping JACC implementations.  We'll look at extending the  
JACC concepts to other authorization decisions such as in portal  
frameworks.

Finally we'll look at the upcoming JASPI support that allows pluggable  
negotiation for credentials and see how it can be used to plug openid  
authentication into a web app to replace basic or form based  
authentication.


------------
I haven't written this yet so having lots of time to work on it would  
be great and any suggestions for improvement would be appreciated.

thanks
david jencks

On Oct 23, 2008, at 9:46 AM, William A. Rowe, Jr. wrote:

> Hello Experts,
>
> the AC/US planning team has a 1hr gap in the program, of the  
> "Security"
> topic track 1 on Thursday 6 November.
>
> http://us.apachecon.com/c/acus2008/schedule/2008/11/06
>
> Please get back to me ASAP if you have (or would like to create) a  
> session
> that hits one or more of the bullets below;
>
> * security related
>
> * ideally of some interest to admins, perhaps of interest to devs
>
> * ideally related to some aspect of securing systems or apps with
>   consideration of client vulnerabilities
>
> I'd appreciate any suggestions by Sat a.m., so whomever offers
> to pick this up a solid week+ to prepare.  Certainly by Mon a.m.
> please?  Remember all the usual speaker benefits apply, including
> registration, and some flight and lodging costs.
>
> Bill
>