incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <>
Subject RE: [PROPOSAL] Incubate JSecurity Project
Date Mon, 09 Jun 2008 17:41:01 GMT
Les Hazlewood wrote:

> I've given presentations on JSecurity and had many discussions in
> private, and I always ask my audience:  "How many people have heard
> of JAAS?"  Maybe 40-50% of the listeners affirm they have.  Then I
> ask, "how many of you have used the JAAS API or its constructs
> (permissions files, etc)?".  That number has been consistently
> around 1-2%.

Right.  But that is probably because most of the other 98%-99% of JEE developers rely on container-managed
access, and don't write any security code.  If anything, they might make a role-check in UI
code to see what navigation options to offer.  The percentage of JEE developers who need more
than container-managed, role-based, authorization is relatively low, although for those who
need it, it is essential.

Container-managed security fails at the instance level, e.g., the container can restrict access
to the ClientAccount bean methods to the Customer role, but does not enforce WHICH customer
login can access WHICH bean instance.  What is JSecurity's approach, and what would it look
like for the lookup (JNDI) and injection (annotation) models?

	--- Noel

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message