incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Janne Jalkanen <>
Subject Re: [PROPOSAL] Incubate JSecurity Project
Date Sun, 08 Jun 2008 18:57:00 GMT
> In fact, JAAS was _the_ primary driving factor in what eventually
> became JSecurity:  I had to execute a number of security operations
> for an application, and the only thing out there was JAAS.  I found
> myself drowning in their mish-mash of incomprehensible APIs and
> obscure VM-level security constructs (which I didn't care about - I
> wanted application-level security).  So, I wrote an alternative that
> only worked in that current application (covered in the Project
> History on our About page:, and
> changed it over time to be flexible for any application.

JSPWiki uses JAAS.

It's consistently been the single biggest source of user problems for  
us.  Or was, until we rewrote big portions of the API to get rid of  
JAR signing and the "one policy per VM" rules (and a bunch of other  
small annoyances which kept us tearing our hairs out and made  
everybody pester us).  JAAS works for us now, because there's almost  
none of it left anymore.  We still interface with it, but it took a  
long time to make it user-friendly and relatively zero-config.

I personally applaud any attempt to actually make an usable, generic  
and flexible security system, and it would be wonderful if Apache  
could offer that.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message