You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by David Jencks <da...@yahoo.com> on 2007/11/05 18:12:29 UTC
Security for dynamic content apps -- gettogether at ApacheCon?
I've worked a bit on integrating Roller and Jetspeed2 into Geronimo
and one thing that quickly becomes clear is that the authorization
security requirements of these "dynamic content" applications are
almost completely unrelated to the javaee security specifications.
One small possible overlap is that the JACC spec supplies the
possibility of pluggable policies for authorization evaluation.
I wondered if people would be interested in getting together to
discuss how app servers such as geronimo and security products such
as TripleSec could support these non-javaee security requirements and
how much commonality there might be across different types of
application. I'll be at ApacheCon all week and would be happy to
talk to everyone individually or in an informal meeting.
Some of the things I've been wondering about are:
- permission definition
- user administration: how are users added and removed or have their
permissions changed.
- resource administration: how are resources such as blogs, portal
pages, or portlets added or removed or have their user access changed
- specification of "default policy" for new users and new resources:
e.g. when a new user signs up what can they do?
thanks!
david jencks
Re: Security for dynamic content apps -- gettogether at ApacheCon?
Posted by Ate Douma <at...@douma.nu>.
David Jencks wrote:
> I've worked a bit on integrating Roller and Jetspeed2 into Geronimo and
> one thing that quickly becomes clear is that the authorization security
> requirements of these "dynamic content" applications are almost
> completely unrelated to the javaee security specifications. One small
> possible overlap is that the JACC spec supplies the possibility of
> pluggable policies for authorization evaluation.
>
> I wondered if people would be interested in getting together to discuss
> how app servers such as geronimo and security products such as TripleSec
> could support these non-javaee security requirements and how much
> commonality there might be across different types of application. I'll
> be at ApacheCon all week and would be happy to talk to everyone
> individually or in an informal meeting.
I'll be at ApacheCon all week too, and definitely like to discuss these matters.
For Jetspeed 2.2 (or 2.3) we plan to revisit our current security model so this is perfect timing for us to see how we can bring more alignment/compatibility
with app servers and security products.
See you in Atlanta next week!
Regards,
Ate
>
> Some of the things I've been wondering about are:
>
> - permission definition
> - user administration: how are users added and removed or have their
> permissions changed.
> - resource administration: how are resources such as blogs, portal
> pages, or portlets added or removed or have their user access changed
> - specification of "default policy" for new users and new resources:
> e.g. when a new user signs up what can they do?
>
> thanks!
> david jencks
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>
>
Re: Security for dynamic content apps -- gettogether at ApacheCon?
Posted by Ate Douma <at...@douma.nu>.
David Jencks wrote:
> I've worked a bit on integrating Roller and Jetspeed2 into Geronimo and
> one thing that quickly becomes clear is that the authorization security
> requirements of these "dynamic content" applications are almost
> completely unrelated to the javaee security specifications. One small
> possible overlap is that the JACC spec supplies the possibility of
> pluggable policies for authorization evaluation.
>
> I wondered if people would be interested in getting together to discuss
> how app servers such as geronimo and security products such as TripleSec
> could support these non-javaee security requirements and how much
> commonality there might be across different types of application. I'll
> be at ApacheCon all week and would be happy to talk to everyone
> individually or in an informal meeting.
I'll be at ApacheCon all week too, and definitely like to discuss these matters.
For Jetspeed 2.2 (or 2.3) we plan to revisit our current security model so this is perfect timing for us to see how we can bring more alignment/compatibility
with app servers and security products.
See you in Atlanta next week!
Regards,
Ate
>
> Some of the things I've been wondering about are:
>
> - permission definition
> - user administration: how are users added and removed or have their
> permissions changed.
> - resource administration: how are resources such as blogs, portal
> pages, or portlets added or removed or have their user access changed
> - specification of "default policy" for new users and new resources:
> e.g. when a new user signs up what can they do?
>
> thanks!
> david jencks
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>
>
Re: Security for dynamic content apps -- gettogether at ApacheCon?
Posted by Ate Douma <at...@douma.nu>.
David Jencks wrote:
> I've worked a bit on integrating Roller and Jetspeed2 into Geronimo and
> one thing that quickly becomes clear is that the authorization security
> requirements of these "dynamic content" applications are almost
> completely unrelated to the javaee security specifications. One small
> possible overlap is that the JACC spec supplies the possibility of
> pluggable policies for authorization evaluation.
>
> I wondered if people would be interested in getting together to discuss
> how app servers such as geronimo and security products such as TripleSec
> could support these non-javaee security requirements and how much
> commonality there might be across different types of application. I'll
> be at ApacheCon all week and would be happy to talk to everyone
> individually or in an informal meeting.
I'll be at ApacheCon all week too, and definitely like to discuss these matters.
For Jetspeed 2.2 (or 2.3) we plan to revisit our current security model so this is perfect timing for us to see how we can bring more alignment/compatibility
with app servers and security products.
See you in Atlanta next week!
Regards,
Ate
>
> Some of the things I've been wondering about are:
>
> - permission definition
> - user administration: how are users added and removed or have their
> permissions changed.
> - resource administration: how are resources such as blogs, portal
> pages, or portlets added or removed or have their user access changed
> - specification of "default policy" for new users and new resources:
> e.g. when a new user signs up what can they do?
>
> thanks!
> david jencks
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
Re: Security for dynamic content apps -- gettogether at ApacheCon?
Posted by David Jencks <da...@yahoo.com>.
Based on the responses I've received I'd like to propose that I talk
with people individually early in the week and that we get together
Thursday night perhaps around 8:00 PM to discuss and see if we have
any conclusions. I'll see if I can find a location.
thanks!
david jencks
On Nov 5, 2007, at 9:12 AM, David Jencks wrote:
> I've worked a bit on integrating Roller and Jetspeed2 into Geronimo
> and one thing that quickly becomes clear is that the authorization
> security requirements of these "dynamic content" applications are
> almost completely unrelated to the javaee security specifications.
> One small possible overlap is that the JACC spec supplies the
> possibility of pluggable policies for authorization evaluation.
>
> I wondered if people would be interested in getting together to
> discuss how app servers such as geronimo and security products such
> as TripleSec could support these non-javaee security requirements
> and how much commonality there might be across different types of
> application. I'll be at ApacheCon all week and would be happy to
> talk to everyone individually or in an informal meeting.
>
> Some of the things I've been wondering about are:
>
> - permission definition
> - user administration: how are users added and removed or have
> their permissions changed.
> - resource administration: how are resources such as blogs, portal
> pages, or portlets added or removed or have their user access changed
> - specification of "default policy" for new users and new
> resources: e.g. when a new user signs up what can they do?
>
> thanks!
> david jencks
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
Re: Security for dynamic content apps -- gettogether at ApacheCon?
Posted by David Jencks <da...@yahoo.com>.
Based on the responses I've received I'd like to propose that I talk
with people individually early in the week and that we get together
Thursday night perhaps around 8:00 PM to discuss and see if we have
any conclusions. I'll see if I can find a location.
thanks!
david jencks
On Nov 5, 2007, at 9:12 AM, David Jencks wrote:
> I've worked a bit on integrating Roller and Jetspeed2 into Geronimo
> and one thing that quickly becomes clear is that the authorization
> security requirements of these "dynamic content" applications are
> almost completely unrelated to the javaee security specifications.
> One small possible overlap is that the JACC spec supplies the
> possibility of pluggable policies for authorization evaluation.
>
> I wondered if people would be interested in getting together to
> discuss how app servers such as geronimo and security products such
> as TripleSec could support these non-javaee security requirements
> and how much commonality there might be across different types of
> application. I'll be at ApacheCon all week and would be happy to
> talk to everyone individually or in an informal meeting.
>
> Some of the things I've been wondering about are:
>
> - permission definition
> - user administration: how are users added and removed or have
> their permissions changed.
> - resource administration: how are resources such as blogs, portal
> pages, or portlets added or removed or have their user access changed
> - specification of "default policy" for new users and new
> resources: e.g. when a new user signs up what can they do?
>
> thanks!
> david jencks
>
Re: Security for dynamic content apps -- gettogether at ApacheCon?
Posted by Alex Karasulu <ak...@apache.org>.
Unfortunately I'm not going to be going to ApacheCon's in the US but to the
EU ones
from now on. However I would love to either get a summary or partake in the
discussion
if someone can ping me from IRC or via skype. This is something I think
will benefit us
all. Thanks David for driving these talks.
Alex
On 11/5/07, David Jencks <da...@yahoo.com> wrote:
>
> I've worked a bit on integrating Roller and Jetspeed2 into Geronimo
> and one thing that quickly becomes clear is that the authorization
> security requirements of these "dynamic content" applications are
> almost completely unrelated to the javaee security specifications.
> One small possible overlap is that the JACC spec supplies the
> possibility of pluggable policies for authorization evaluation.
>
> I wondered if people would be interested in getting together to
> discuss how app servers such as geronimo and security products such
> as TripleSec could support these non-javaee security requirements and
> how much commonality there might be across different types of
> application. I'll be at ApacheCon all week and would be happy to
> talk to everyone individually or in an informal meeting.
>
> Some of the things I've been wondering about are:
>
> - permission definition
> - user administration: how are users added and removed or have their
> permissions changed.
> - resource administration: how are resources such as blogs, portal
> pages, or portlets added or removed or have their user access changed
> - specification of "default policy" for new users and new resources:
> e.g. when a new user signs up what can they do?
>
> thanks!
> david jencks
>
>
Re: Security for dynamic content apps -- gettogether at ApacheCon?
Posted by David Jencks <da...@yahoo.com>.
Based on the responses I've received I'd like to propose that I talk
with people individually early in the week and that we get together
Thursday night perhaps around 8:00 PM to discuss and see if we have
any conclusions. I'll see if I can find a location.
thanks!
david jencks
On Nov 5, 2007, at 9:12 AM, David Jencks wrote:
> I've worked a bit on integrating Roller and Jetspeed2 into Geronimo
> and one thing that quickly becomes clear is that the authorization
> security requirements of these "dynamic content" applications are
> almost completely unrelated to the javaee security specifications.
> One small possible overlap is that the JACC spec supplies the
> possibility of pluggable policies for authorization evaluation.
>
> I wondered if people would be interested in getting together to
> discuss how app servers such as geronimo and security products such
> as TripleSec could support these non-javaee security requirements
> and how much commonality there might be across different types of
> application. I'll be at ApacheCon all week and would be happy to
> talk to everyone individually or in an informal meeting.
>
> Some of the things I've been wondering about are:
>
> - permission definition
> - user administration: how are users added and removed or have
> their permissions changed.
> - resource administration: how are resources such as blogs, portal
> pages, or portlets added or removed or have their user access changed
> - specification of "default policy" for new users and new
> resources: e.g. when a new user signs up what can they do?
>
> thanks!
> david jencks
>
Re: Security for dynamic content apps -- gettogether at ApacheCon?
Posted by Ate Douma <at...@douma.nu>.
David Jencks wrote:
> I've worked a bit on integrating Roller and Jetspeed2 into Geronimo and
> one thing that quickly becomes clear is that the authorization security
> requirements of these "dynamic content" applications are almost
> completely unrelated to the javaee security specifications. One small
> possible overlap is that the JACC spec supplies the possibility of
> pluggable policies for authorization evaluation.
>
> I wondered if people would be interested in getting together to discuss
> how app servers such as geronimo and security products such as TripleSec
> could support these non-javaee security requirements and how much
> commonality there might be across different types of application. I'll
> be at ApacheCon all week and would be happy to talk to everyone
> individually or in an informal meeting.
I'll be at ApacheCon all week too, and definitely like to discuss these matters.
For Jetspeed 2.2 (or 2.3) we plan to revisit our current security model so this is perfect timing for us to see how we can bring more alignment/compatibility
with app servers and security products.
See you in Atlanta next week!
Regards,
Ate
>
> Some of the things I've been wondering about are:
>
> - permission definition
> - user administration: how are users added and removed or have their
> permissions changed.
> - resource administration: how are resources such as blogs, portal
> pages, or portlets added or removed or have their user access changed
> - specification of "default policy" for new users and new resources:
> e.g. when a new user signs up what can they do?
>
> thanks!
> david jencks
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>
>
Re: Security for dynamic content apps -- gettogether at ApacheCon?
Posted by David Sean Taylor <da...@bluesunrise.com>.
On Nov 5, 2007, at 9:12 AM, David Jencks wrote:
> I've worked a bit on integrating Roller and Jetspeed2 into Geronimo
> and one thing that quickly becomes clear is that the authorization
> security requirements of these "dynamic content" applications are
> almost completely unrelated to the javaee security specifications.
> One small possible overlap is that the JACC spec supplies the
> possibility of pluggable policies for authorization evaluation.
>
> I wondered if people would be interested in getting together to
> discuss how app servers such as geronimo and security products such
> as TripleSec could support these non-javaee security requirements
> and how much commonality there might be across different types of
> application. I'll be at ApacheCon all week and would be happy to
> talk to everyone individually or in an informal meeting.
I will be in Atlanta Thursday night and Friday morning, if you have
time Thursday night that would be great
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
Re: Security for dynamic content apps -- gettogether at ApacheCon?
Posted by Phillip Rhodes <mi...@cpphacker.co.uk>.
David Jencks wrote:
>>
>> Also, FYI, some of this discussion may overlap with the discussion(s)
>> going on on the "social network portability" Google Group.
>
> Do you have links to any of these discussions?
>
This is probably the best example:
<http://groups.google.com/group/social-network-portability/browse_thread/thread/e9040a877541afab/54d84b99bd501400?lnk=gst&q=identity#>
Some of the others may be of interest as well, but I haven't gone back
through the entire archive yet. I only recently joined the group so I
missed a lot of the earlier discussions.
TTYL,
Phil
Re: Security for dynamic content apps -- gettogether at ApacheCon?
Posted by David Jencks <da...@yahoo.com>.
On Nov 5, 2007, at 10:15 AM, Phillip Rhodes wrote:
>
>>
>> The situation gets even messier with social networking data, where
>> each user can things like field visibility based on friends, close
>> friends, those in my network, etc. I think there are some very
>> interesting challenges at the intersection of social software and
>> "enterprise" identity and I wonder if Java EE roles/policy can be
>> extended in that direction.
>
> Dang, wish I was going to ApacheCon, I'd love to be part of this
> discussion. Hopefully you guys will post notes online somewhere?
> Maybe
> setup a wiki or something?
definitely
>
> Also, FYI, some of this discussion may overlap with the discussion(s)
> going on on the "social network portability" Google Group.
Do you have links to any of these discussions?
Also if there are other people/projects that might be interested
(CMS???) I'd like to contact them also...
thanks
david jencks
>
>
> TTYL,
>
>
> Phil
>
Re: Security for dynamic content apps -- gettogether at ApacheCon?
Posted by Matt Raible <ma...@raibledesigns.com>.
When were you hoping to get together? I'll be at ApacheCon from
Wednesday evening through Friday afternoon.
Matt
On 11/5/07, Phillip Rhodes <mi...@cpphacker.co.uk> wrote:
>
> >
> > The situation gets even messier with social networking data, where
> > each user can things like field visibility based on friends, close
> > friends, those in my network, etc. I think there are some very
> > interesting challenges at the intersection of social software and
> > "enterprise" identity and I wonder if Java EE roles/policy can be
> > extended in that direction.
>
> Dang, wish I was going to ApacheCon, I'd love to be part of this
> discussion. Hopefully you guys will post notes online somewhere? Maybe
> setup a wiki or something?
>
> Also, FYI, some of this discussion may overlap with the discussion(s)
> going on on the "social network portability" Google Group.
>
>
> TTYL,
>
>
> Phil
>
>
--
http://raibledesigns.com
Re: Security for dynamic content apps -- gettogether at ApacheCon?
Posted by Phillip Rhodes <mi...@cpphacker.co.uk>.
>
> The situation gets even messier with social networking data, where
> each user can things like field visibility based on friends, close
> friends, those in my network, etc. I think there are some very
> interesting challenges at the intersection of social software and
> "enterprise" identity and I wonder if Java EE roles/policy can be
> extended in that direction.
Dang, wish I was going to ApacheCon, I'd love to be part of this
discussion. Hopefully you guys will post notes online somewhere? Maybe
setup a wiki or something?
Also, FYI, some of this discussion may overlap with the discussion(s)
going on on the "social network portability" Google Group.
TTYL,
Phil
Re: Security for dynamic content apps -- gettogether at ApacheCon?
Posted by Dave <sn...@gmail.com>.
On 11/5/07, David Jencks <da...@yahoo.com> wrote:
> I've worked a bit on integrating Roller and Jetspeed2 into Geronimo
> and one thing that quickly becomes clear is that the authorization
> security requirements of these "dynamic content" applications are
> almost completely unrelated to the javaee security specifications.
> One small possible overlap is that the JACC spec supplies the
> possibility of pluggable policies for authorization evaluation.
>
> I wondered if people would be interested in getting together to
> discuss how app servers such as geronimo and security products such
> as TripleSec could support these non-javaee security requirements and
> how much commonality there might be across different types of
> application. I'll be at ApacheCon all week and would be happy to
> talk to everyone individually or in an informal meeting.
>
> Some of the things I've been wondering about are:
>
> - permission definition
> - user administration: how are users added and removed or have their
> permissions changed.
> - resource administration: how are resources such as blogs, portal
> pages, or portlets added or removed or have their user access changed
> - specification of "default policy" for new users and new resources:
> e.g. when a new user signs up what can they do?
I'm interested in chatting about this at ApacheCon.
The situation gets even messier with social networking data, where
each user can things like field visibility based on friends, close
friends, those in my network, etc. I think there are some very
interesting challenges at the intersection of social software and
"enterprise" identity and I wonder if Java EE roles/policy can be
extended in that direction.
- Dave
Re: Security for dynamic content apps -- gettogether at ApacheCon?
Posted by Alex Karasulu <ak...@apache.org>.
Unfortunately I'm not going to be going to ApacheCon's in the US but to the
EU ones
from now on. However I would love to either get a summary or partake in the
discussion
if someone can ping me from IRC or via skype. This is something I think
will benefit us
all. Thanks David for driving these talks.
Alex
On 11/5/07, David Jencks <da...@yahoo.com> wrote:
>
> I've worked a bit on integrating Roller and Jetspeed2 into Geronimo
> and one thing that quickly becomes clear is that the authorization
> security requirements of these "dynamic content" applications are
> almost completely unrelated to the javaee security specifications.
> One small possible overlap is that the JACC spec supplies the
> possibility of pluggable policies for authorization evaluation.
>
> I wondered if people would be interested in getting together to
> discuss how app servers such as geronimo and security products such
> as TripleSec could support these non-javaee security requirements and
> how much commonality there might be across different types of
> application. I'll be at ApacheCon all week and would be happy to
> talk to everyone individually or in an informal meeting.
>
> Some of the things I've been wondering about are:
>
> - permission definition
> - user administration: how are users added and removed or have their
> permissions changed.
> - resource administration: how are resources such as blogs, portal
> pages, or portlets added or removed or have their user access changed
> - specification of "default policy" for new users and new resources:
> e.g. when a new user signs up what can they do?
>
> thanks!
> david jencks
>
>
Re: Security for dynamic content apps -- gettogether at ApacheCon?
Posted by Alex Karasulu <ak...@apache.org>.
Unfortunately I'm not going to be going to ApacheCon's in the US but to the
EU ones
from now on. However I would love to either get a summary or partake in the
discussion
if someone can ping me from IRC or via skype. This is something I think
will benefit us
all. Thanks David for driving these talks.
Alex
On 11/5/07, David Jencks <da...@yahoo.com> wrote:
>
> I've worked a bit on integrating Roller and Jetspeed2 into Geronimo
> and one thing that quickly becomes clear is that the authorization
> security requirements of these "dynamic content" applications are
> almost completely unrelated to the javaee security specifications.
> One small possible overlap is that the JACC spec supplies the
> possibility of pluggable policies for authorization evaluation.
>
> I wondered if people would be interested in getting together to
> discuss how app servers such as geronimo and security products such
> as TripleSec could support these non-javaee security requirements and
> how much commonality there might be across different types of
> application. I'll be at ApacheCon all week and would be happy to
> talk to everyone individually or in an informal meeting.
>
> Some of the things I've been wondering about are:
>
> - permission definition
> - user administration: how are users added and removed or have their
> permissions changed.
> - resource administration: how are resources such as blogs, portal
> pages, or portlets added or removed or have their user access changed
> - specification of "default policy" for new users and new resources:
> e.g. when a new user signs up what can they do?
>
> thanks!
> david jencks
>
>
Re: Security for dynamic content apps -- gettogether at ApacheCon?
Posted by David Jencks <da...@yahoo.com>.
Based on the responses I've received I'd like to propose that I talk
with people individually early in the week and that we get together
Thursday night perhaps around 8:00 PM to discuss and see if we have
any conclusions. I'll see if I can find a location.
thanks!
david jencks
On Nov 5, 2007, at 9:12 AM, David Jencks wrote:
> I've worked a bit on integrating Roller and Jetspeed2 into Geronimo
> and one thing that quickly becomes clear is that the authorization
> security requirements of these "dynamic content" applications are
> almost completely unrelated to the javaee security specifications.
> One small possible overlap is that the JACC spec supplies the
> possibility of pluggable policies for authorization evaluation.
>
> I wondered if people would be interested in getting together to
> discuss how app servers such as geronimo and security products such
> as TripleSec could support these non-javaee security requirements
> and how much commonality there might be across different types of
> application. I'll be at ApacheCon all week and would be happy to
> talk to everyone individually or in an informal meeting.
>
> Some of the things I've been wondering about are:
>
> - permission definition
> - user administration: how are users added and removed or have
> their permissions changed.
> - resource administration: how are resources such as blogs, portal
> pages, or portlets added or removed or have their user access changed
> - specification of "default policy" for new users and new
> resources: e.g. when a new user signs up what can they do?
>
> thanks!
> david jencks
>
Re: Security for dynamic content apps -- gettogether at ApacheCon?
Posted by Alex Karasulu <ak...@apache.org>.
Unfortunately I'm not going to be going to ApacheCon's in the US but to the
EU ones
from now on. However I would love to either get a summary or partake in the
discussion
if someone can ping me from IRC or via skype. This is something I think
will benefit us
all. Thanks David for driving these talks.
Alex
On 11/5/07, David Jencks <da...@yahoo.com> wrote:
>
> I've worked a bit on integrating Roller and Jetspeed2 into Geronimo
> and one thing that quickly becomes clear is that the authorization
> security requirements of these "dynamic content" applications are
> almost completely unrelated to the javaee security specifications.
> One small possible overlap is that the JACC spec supplies the
> possibility of pluggable policies for authorization evaluation.
>
> I wondered if people would be interested in getting together to
> discuss how app servers such as geronimo and security products such
> as TripleSec could support these non-javaee security requirements and
> how much commonality there might be across different types of
> application. I'll be at ApacheCon all week and would be happy to
> talk to everyone individually or in an informal meeting.
>
> Some of the things I've been wondering about are:
>
> - permission definition
> - user administration: how are users added and removed or have their
> permissions changed.
> - resource administration: how are resources such as blogs, portal
> pages, or portlets added or removed or have their user access changed
> - specification of "default policy" for new users and new resources:
> e.g. when a new user signs up what can they do?
>
> thanks!
> david jencks
>
>