>> * Should the user management default be Apache Directory or a
>> simple database?
> User management is ambiguous. Are we talking about authentication?
> Authorization? And we should probably not be dependent on a particular
> repository type.
That was the only occurrence of the term that I left in the
proposal :-) Since Apache Directory was mentioned, I found
it unambiguous there. The real choice is of course LDAP or
>> * How will access control be implemented?
> TBD, and it may exist at different control points, e.g., at the business
> logic level (container or component managed) and data store level
>> * Will the Web service just provide data for machine to machine
>> exchanges or will it default to human readable?
> I doubt that the "Web service" would be in any way human readable, by
> default or otherwise.
>> Access control should provide the option to mark photos as public
>> (anyone), protected (invite only), or private (just the owner).
>> Options for managing the invites for each user are LDAP or a simple
>> database. Permission checking can be implemented in the backend
>> as a Jackrabbit access manager or in an application layer. Candidate
>> technologies are JAAS and JSecurity, which both allow for pluggable
> As noted above, access control (authorization) can be handled at multiple
> points. The surface area related to authorization should be strictly
> limited, and not pervasive.