Noel J. Bergman wrote:
> Roland Weber wrote:
>> The current Caitrin Proposal mentions user management:
>> JAAS is not an API for user management. It is an API for
>> authentication (check passwords) and authorization.
> Have you asked what the proposal means by user management?
Nope. I just assumed that user management is about managing
users and groups :-)
> If it is
> intended as an umbrella that covers authorization, then JAAS is a potential
> fit, although we have another potential project that would also serve.
>> I assume that you have a servlet container (Tomcat) or
>> JEE environment (Geronimo). In that case, I would never
>> try to deal with user management myself, but always leave
>> that to the container.
> JEE container managed security does not cover instance based authorization,
> and would not address which part(s) of a gallery a given entity can access.
It covers authentication and statically assigned roles.
Hence my suggestion to lower the authorization requirements
to a level that can be easily implemented based on the
information that JEE offers. A username is readily available,
and so are the roles of the current user.
You're right of course, it is necessary to store the access
control information somewhere. Either with the photos in the
gallery backend, or somewhere in the authorization component,
or both. It will not be possible to simply defer this question
as I had hoped. JCR 2.0 comes with an API for authorization,
but it's not here yet.