incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Les Hazlewood" <>
Subject Re: [PROPOSAL] Incubate JSecurity Project
Date Sun, 08 Jun 2008 16:16:47 GMT
Full JAAS integration is desired for the 1.0 final release to support
those who actually implement containers.  JSecurity is usable in all
containers today, both web and non-web today, just not via JAAS yet.

The reason it is not in place now and hasn't been in 3 years is that
because the vast majority of our community - application and framework
developers - could care less about JAAS - it is a cumbersome,
difficult to understand, quirky mechanism.

I've given presentations on JSecurity and had many discussions in
private, and I always ask my audience:  "How many people have heard of
JAAS?"  Maybe 40-50% of the listeners affirm they have.  Then I ask,
"how many of you have used the JAAS API or its constructs (permissions
files, etc)?".  That number has been consistently around 1-2%.

In fact, JAAS was _the_ primary driving factor in what eventually
became JSecurity:  I had to execute a number of security operations
for an application, and the only thing out there was JAAS.  I found
myself drowning in their mish-mash of incomprehensible APIs and
obscure VM-level security constructs (which I didn't care about - I
wanted application-level security).  So, I wrote an alternative that
only worked in that current application (covered in the Project
History on our About page:, and
changed it over time to be flexible for any application.

The end result is a framework that is far more desirable for the huge
majority of people that write applications.  In fact, in the history
of the project, I've only come across 2 or 3 indications that an
effort for full JAAS support is desired - two over a year ago and now
in this thread.  So, you can see why we haven't spent much time in
actually accomplishing this.

But, all of this being said, we have _always_ expected to integrate
very nicely with JAAS in either way:  JAAS sits on top of JSecurity or
JSecurity on top of JAAS, using whatever JAAS integration mechanisms
that exist.  We're hoping with our adoption in the ASF community, that
people will join the project to assist in this effort specifically.
The JSecurity API has been designed such that JAAS integration,
whenever needed, would be a simple task.  That has always been in the
back of our minds, 'just in case'.

Finally, although not necessarily our initial intentions, I think it
would be amazing if JSecurity could be a model for a new JSR that
could supplement or replace what JAAS is today.  I don't know if that
will ever happen, but if we as an ASF community desire it, then I
think it would be a great idea for further discussion.



On Sun, Jun 8, 2008 at 10:13 AM, Noel J. Bergman <> wrote:
> How does JSecurity relate to existing standards, e.g., JAAS, JACC,
> WS-Security, etc.?
> The only reference I found is a comment in the slide show saying "Simplify
> or replace JAAS."  Well JAAS is the Java standard in this space, and part of
> the Java core, so are we proposing a replacement or supplement to the JCP?
> I also see that JSecurity web support relies on a return to
> application-level security based on a filter, rather than rely on container
> management, which has evolved as a cornerstone of Java programming.  The
> reliance on a filter is probably because JSecurity is not (yet?) integrated
> with the Java standards in the security space.
> It seems to me that there ought to be some support for Java specifications
> and container managed security, if projects such as Tomcat, Geronimo,
> Jetspeed, et al, are to consider JSecurity.
> This isn't a statement about suitability for Incubation, just a discussion
> point.  :-)
>        --- Noel
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message