So with the introduction of a pluggable authorization service for the j2ee 1.4 JACC requirement, we have opened up the possibility of having a very general authorization decision service. One main problem with the existing service is that it has no extensibility in terms of what permissions have been assigned to roles with a given context.
I talked to Abhijit Belapurkar at JavaOne about an implementation he did based on the XACML implementation from Sun and will work with him on at least getting this into the codebase as a testcase of alternate implementation to avoid the implementation details assumptions from leaking into the security aspects on top of JACC. I do want to look at moving to a default JACC provider that is built on XACML as the current overloading of the JAAS authentication phase to provide the declarative roles is too limiting.
This topic is the start of discussion on what needs to be done to move to the next generation of JACC implementation, and more generally the next generation of authorization service.
I don't expect to get too much done for a month as I'm focused on finalizing 4.0.3 and there is vacation time on the horizon.
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3886241#3886241
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3886241
|
