[jboss-user] [JBoss Seam] - Re: Why not JAAS for security?

[norman.richards@jboss.com]

JAAS is not a security implementation.  It is an API for interacting with security implementations.  Seam can interact with JAAS, but years of experience with JAAS has proven that it is not a very effective API.  It works ok for the most basic role-based authorization, but it's too heavy and inflexible to be used directly for the type of authorization tasks we were targeting.  

Why did we just Drools?  First, keep in mind that you only need to use Drools to implement fine-grained permissions.  If you just need simple roles, then you don't need to use drools.  A rule base makes sense to implement this type of thing.  Everyone on the Seam team knows and likes the Drools guys.  Drools works well, and it plays nicely with JBPM, which we also use.  We'd always prefer to use standards-based technologies, but where no useful standard exists, we have to pick something.

The good news is that Seam is a very flexible system.  It should not be hard for someone to implement support for another rules engine.  If there as any interest in that from the Seam community, I'm sure it will happen.


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4097676#4097676

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4097676