You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@avalon.apache.org by "MCCAY,LARRY (HP-NewJersey,ex2)" <la...@hp.com> on 2002/01/21 05:11:39 UTC
AAA Security
All,
Attached is quite a busy collaboration diagram describing the interaction of
the potential players in the AAA implementation.
A couple things that need to be determined - the client facing api for:
1. Authentication
a. JAAS client api
b. proprietary api to abstract authentication mechanism -
including JAAS
2. Authorization
a. J2SE authorization api's
b. proprietary api to abstract implementation
I am inclined to try and provide an abstraction through proprietary api.
With that said, I think that we need to assume the use of the JAAS subject
as a vehicle for identity and attribute principals and credentials. The
subject would follow the user through the request/session through the use of
Subject.doAs() and/or doAsPrivileged() - this basically associates the
subject with the current thread of execution.
Using this mechanism, we have a standard vehicle to use as a security
context and a standard mechanism to acquire it from the thread context -
Subject.getSubject().
We are not obligated to use JAAS login modules or JAAS policy as the only
mechanisms for authentication and authorization.
Any thoughts?
thanks,
--Larry
Re: AAA Security
Posted by Peter Donald <pe...@apache.org>.
On Mon, 21 Jan 2002 15:11, MCCAY,LARRY (HP-NewJersey,ex2) wrote:
> Attached is quite a busy collaboration diagram describing the interaction
> of the potential players in the AAA implementation.
looks good. One question though - does AuthorizationManager use the standard
Java2 permissions model?
> A couple things that need to be determined - the client facing api for:
> 1. Authentication
> a. JAAS client api
> b. proprietary api to abstract authentication mechanism -
> including JAAS
>
> 2. Authorization
> a. J2SE authorization api's
> b. proprietary api to abstract implementation
>
> I am inclined to try and provide an abstraction through proprietary api.
>
> With that said, I think that we need to assume the use of the JAAS subject
> as a vehicle for identity and attribute principals and credentials. The
> subject would follow the user through the request/session through the use
> of Subject.doAs() and/or doAsPrivileged() - this basically associates the
> subject with the current thread of execution.
>
> Using this mechanism, we have a standard vehicle to use as a security
> context and a standard mechanism to acquire it from the thread context -
> Subject.getSubject().
>
> We are not obligated to use JAAS login modules or JAAS policy as the only
> mechanisms for authentication and authorization.
>
> Any thoughts?
Works for me. I am not real familiar with JAAS but if it is useful to provide
an abstraction over the top then I am all for that ;)
--
Cheers,
Pete
The big mistake that men make is that when they turn thirteen or fourteen and
all of a sudden they've reached puberty, they believe that they like women.
Actually, you're just horny. It doesn't mean you like women any more at
twenty-one than you did at ten. --Jules Feiffer (cartoonist)
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: AAA Security
Posted by Stephen McConnell <mc...@osm.net>.
> -----Original Message-----
> From: MCCAY,LARRY (HP-NewJersey,ex2) [mailto:lawrence_mccay-iii@hp.com]
> Sent: Monday, 21 January, 2002 05:12
> To: 'avalon-dev@jakarta.apache.org'
> Subject: AAA Security
>
>
> All,
>
> Attached is quite a busy collaboration diagram describing the
> interaction of
> the potential players in the AAA implementation.
>
> A couple things that need to be determined - the client facing api for:
> 1. Authentication
> a. JAAS client api
> b. proprietary api to abstract authentication mechanism -
> including JAAS
>
> 2. Authorization
> a. J2SE authorization api's
> b. proprietary api to abstract implementation
>
> I am inclined to try and provide an abstraction through proprietary api.
>
> With that said, I think that we need to assume the use of the JAAS subject
> as a vehicle for identity and attribute principals and credentials. The
> subject would follow the user through the request/session through
> the use of
> Subject.doAs() and/or doAsPrivileged() - this basically associates the
> subject with the current thread of execution.
>
> Using this mechanism, we have a standard vehicle to use as a security
> context and a standard mechanism to acquire it from the thread context -
> Subject.getSubject().
>
> We are not obligated to use JAAS login modules or JAAS policy as the only
> mechanisms for authentication and authorization.
This last sentence ... do you mean that in using JAAS we can take advantage
of
authentication policy configuration mechanisms (that allows pluggable
authentication
mechanisms), or, that this would not be an obligation ?
Cheers, Steve.
> Any thoughts?
>
> thanks,
>
> --Larry
>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>