You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "William A. Rowe, Jr." <wr...@rowe-clan.net> on 2008/10/23 18:46:14 UTC
AC/US /security/ related talk need (2 weeks from yesterday)
Hello Experts,
the AC/US planning team has a 1hr gap in the program, of the "Security"
topic track 1 on Thursday 6 November.
http://us.apachecon.com/c/acus2008/schedule/2008/11/06
Please get back to me ASAP if you have (or would like to create) a session
that hits one or more of the bullets below;
* security related
* ideally of some interest to admins, perhaps of interest to devs
* ideally related to some aspect of securing systems or apps with
consideration of client vulnerabilities
I'd appreciate any suggestions by Sat a.m., so whomever offers
to pick this up a solid week+ to prepare. Certainly by Mon a.m.
please? Remember all the usual speaker benefits apply, including
registration, and some flight and lodging costs.
Bill
Re: AC/US /security/ related talk need (2 weeks from yesterday)
Posted by David Jencks <da...@yahoo.com>.
On Oct 24, 2008, at 4:40 PM, Davanum Srinivas wrote:
> David,
>
> 2 cents, how would one secure Geronimo in an enterprise scenario (say
> LDAP servers) would help the admin guys i think.
That would be using the ldap login module? I could use that as the
example of swapping credential validation. Maybe I'm being too
ambitious.... I thought that was covered pretty well in the docs.
thanks
david jencks
>
>
> -- dims
>
> On Fri, Oct 24, 2008 at 7:07 PM, David Jencks
> <da...@yahoo.com> wrote:
>> Geronimo Security, now and coming soon
>>
>> Security can be divided into negotiation for credentials, credential
>> validation, and authorization.
>>
>> First we'll look at setting up and swapping credential validation in
>> geronimio, a simple process everyone has to do to secure an
>> application.
>>
>> Then we'll look at the JACC authorization framework where the
>> security
>> constraints in the javaee deployment descriptors and annotations are
>> translated into java permissions and used, together with a
>> principal-role
>> mapping, to authorize requests at runtime. If time allows we'll
>> look at
>> swapping JACC implementations. We'll look at extending the JACC
>> concepts to
>> other authorization decisions such as in portal frameworks.
>>
>> Finally we'll look at the upcoming JASPI support that allows
>> pluggable
>> negotiation for credentials and see how it can be used to plug openid
>> authentication into a web app to replace basic or form based
>> authentication.
>>
>>
>> ------------
>> I haven't written this yet so having lots of time to work on it
>> would be
>> great and any suggestions for improvement would be appreciated.
>>
>> thanks
>> david jencks
>>
>> On Oct 23, 2008, at 9:46 AM, William A. Rowe, Jr. wrote:
>>
>>> Hello Experts,
>>>
>>> the AC/US planning team has a 1hr gap in the program, of the
>>> "Security"
>>> topic track 1 on Thursday 6 November.
>>>
>>> http://us.apachecon.com/c/acus2008/schedule/2008/11/06
>>>
>>> Please get back to me ASAP if you have (or would like to create) a
>>> session
>>> that hits one or more of the bullets below;
>>>
>>> * security related
>>>
>>> * ideally of some interest to admins, perhaps of interest to devs
>>>
>>> * ideally related to some aspect of securing systems or apps with
>>> consideration of client vulnerabilities
>>>
>>> I'd appreciate any suggestions by Sat a.m., so whomever offers
>>> to pick this up a solid week+ to prepare. Certainly by Mon a.m.
>>> please? Remember all the usual speaker benefits apply, including
>>> registration, and some flight and lodging costs.
>>>
>>> Bill
>>>
>>
>>
>
>
>
> --
> Davanum Srinivas :: http://davanum.wordpress.com
Re: AC/US /security/ related talk need (2 weeks from yesterday)
Posted by Davanum Srinivas <da...@gmail.com>.
David,
2 cents, how would one secure Geronimo in an enterprise scenario (say
LDAP servers) would help the admin guys i think.
-- dims
On Fri, Oct 24, 2008 at 7:07 PM, David Jencks <da...@yahoo.com> wrote:
> Geronimo Security, now and coming soon
>
> Security can be divided into negotiation for credentials, credential
> validation, and authorization.
>
> First we'll look at setting up and swapping credential validation in
> geronimio, a simple process everyone has to do to secure an application.
>
> Then we'll look at the JACC authorization framework where the security
> constraints in the javaee deployment descriptors and annotations are
> translated into java permissions and used, together with a principal-role
> mapping, to authorize requests at runtime. If time allows we'll look at
> swapping JACC implementations. We'll look at extending the JACC concepts to
> other authorization decisions such as in portal frameworks.
>
> Finally we'll look at the upcoming JASPI support that allows pluggable
> negotiation for credentials and see how it can be used to plug openid
> authentication into a web app to replace basic or form based authentication.
>
>
> ------------
> I haven't written this yet so having lots of time to work on it would be
> great and any suggestions for improvement would be appreciated.
>
> thanks
> david jencks
>
> On Oct 23, 2008, at 9:46 AM, William A. Rowe, Jr. wrote:
>
>> Hello Experts,
>>
>> the AC/US planning team has a 1hr gap in the program, of the "Security"
>> topic track 1 on Thursday 6 November.
>>
>> http://us.apachecon.com/c/acus2008/schedule/2008/11/06
>>
>> Please get back to me ASAP if you have (or would like to create) a session
>> that hits one or more of the bullets below;
>>
>> * security related
>>
>> * ideally of some interest to admins, perhaps of interest to devs
>>
>> * ideally related to some aspect of securing systems or apps with
>> consideration of client vulnerabilities
>>
>> I'd appreciate any suggestions by Sat a.m., so whomever offers
>> to pick this up a solid week+ to prepare. Certainly by Mon a.m.
>> please? Remember all the usual speaker benefits apply, including
>> registration, and some flight and lodging costs.
>>
>> Bill
>>
>
>
--
Davanum Srinivas :: http://davanum.wordpress.com
Re: AC/US /security/ related talk need (2 weeks from yesterday)
Posted by David Jencks <da...@yahoo.com>.
Geronimo Security, now and coming soon
Security can be divided into negotiation for credentials, credential
validation, and authorization.
First we'll look at setting up and swapping credential validation in
geronimio, a simple process everyone has to do to secure an application.
Then we'll look at the JACC authorization framework where the security
constraints in the javaee deployment descriptors and annotations are
translated into java permissions and used, together with a principal-
role mapping, to authorize requests at runtime. If time allows we'll
look at swapping JACC implementations. We'll look at extending the
JACC concepts to other authorization decisions such as in portal
frameworks.
Finally we'll look at the upcoming JASPI support that allows pluggable
negotiation for credentials and see how it can be used to plug openid
authentication into a web app to replace basic or form based
authentication.
------------
I haven't written this yet so having lots of time to work on it would
be great and any suggestions for improvement would be appreciated.
thanks
david jencks
On Oct 23, 2008, at 9:46 AM, William A. Rowe, Jr. wrote:
> Hello Experts,
>
> the AC/US planning team has a 1hr gap in the program, of the
> "Security"
> topic track 1 on Thursday 6 November.
>
> http://us.apachecon.com/c/acus2008/schedule/2008/11/06
>
> Please get back to me ASAP if you have (or would like to create) a
> session
> that hits one or more of the bullets below;
>
> * security related
>
> * ideally of some interest to admins, perhaps of interest to devs
>
> * ideally related to some aspect of securing systems or apps with
> consideration of client vulnerabilities
>
> I'd appreciate any suggestions by Sat a.m., so whomever offers
> to pick this up a solid week+ to prepare. Certainly by Mon a.m.
> please? Remember all the usual speaker benefits apply, including
> registration, and some flight and lodging costs.
>
> Bill
>