Full JAAS integration is desired for the 1.0 final release to support those who actually implement containers. JSecurity is usable in all containers today, both web and non-web today, just not via JAAS yet.
The reason it is not in place now and hasn't been in 3 years is that because the vast majority of our community - application and framework developers - could care less about JAAS - it is a cumbersome, difficult to understand, quirky mechanism. I've given presentations on JSecurity and had many discussions in private, and I always ask my audience: "How many people have heard of JAAS?" Maybe 40-50% of the listeners affirm they have. Then I ask, "how many of you have used the JAAS API or its constructs (permissions files, etc)?". That number has been consistently around 1-2%. In fact, JAAS was _the_ primary driving factor in what eventually became JSecurity: I had to execute a number of security operations for an application, and the only thing out there was JAAS. I found myself drowning in their mish-mash of incomprehensible APIs and obscure VM-level security constructs (which I didn't care about - I wanted application-level security). So, I wrote an alternative that only worked in that current application (covered in the Project History on our About page: http://www.jsecurity.org/about), and changed it over time to be flexible for any application. The end result is a framework that is far more desirable for the huge majority of people that write applications. In fact, in the history of the project, I've only come across 2 or 3 indications that an effort for full JAAS support is desired - two over a year ago and now in this thread. So, you can see why we haven't spent much time in actually accomplishing this. But, all of this being said, we have _always_ expected to integrate very nicely with JAAS in either way: JAAS sits on top of JSecurity or JSecurity on top of JAAS, using whatever JAAS integration mechanisms that exist. We're hoping with our adoption in the ASF community, that people will join the project to assist in this effort specifically. The JSecurity API has been designed such that JAAS integration, whenever needed, would be a simple task. That has always been in the back of our minds, 'just in case'. Finally, although not necessarily our initial intentions, I think it would be amazing if JSecurity could be a model for a new JSR that could supplement or replace what JAAS is today. I don't know if that will ever happen, but if we as an ASF community desire it, then I think it would be a great idea for further discussion. Cheers, Les On Sun, Jun 8, 2008 at 10:13 AM, Noel J. Bergman <[EMAIL PROTECTED]> wrote: > How does JSecurity relate to existing standards, e.g., JAAS, JACC, > WS-Security, etc.? > > The only reference I found is a comment in the slide show saying "Simplify > or replace JAAS." Well JAAS is the Java standard in this space, and part of > the Java core, so are we proposing a replacement or supplement to the JCP? > I also see that JSecurity web support relies on a return to > application-level security based on a filter, rather than rely on container > management, which has evolved as a cornerstone of Java programming. The > reliance on a filter is probably because JSecurity is not (yet?) integrated > with the Java standards in the security space. > > It seems to me that there ought to be some support for Java specifications > and container managed security, if projects such as Tomcat, Geronimo, > Jetspeed, et al, are to consider JSecurity. > > This isn't a statement about suitability for Incubation, just a discussion > point. :-) > > --- Noel > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
