In fact, JAAS was _the_ primary driving factor in what eventually
became JSecurity: I had to execute a number of security operations
for an application, and the only thing out there was JAAS. I found
myself drowning in their mish-mash of incomprehensible APIs and
obscure VM-level security constructs (which I didn't care about - I
wanted application-level security). So, I wrote an alternative that
only worked in that current application (covered in the Project
History on our About page: http://www.jsecurity.org/about), and
changed it over time to be flexible for any application.
JSPWiki uses JAAS.
It's consistently been the single biggest source of user problems for
us. Or was, until we rewrote big portions of the API to get rid of
JAR signing and the "one policy per VM" rules (and a bunch of other
small annoyances which kept us tearing our hairs out and made
everybody pester us). JAAS works for us now, because there's almost
none of it left anymore. We still interface with it, but it took a
long time to make it user-friendly and relatively zero-config.
I personally applaud any attempt to actually make an usable, generic
and flexible security system, and it would be wonderful if Apache
could offer that.
/Janne
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
