[jboss-dev-forums] [Design of Security on JBoss] - Re: Bringing together an unified security view

Instance Based ACL Implementation I talked to Scott about Seam Security and the instance based security that is important for Non-AS projects like Drools, Portal, jBPM and Seam. There are two prominent projects that have tried to solve instance based security: 1) OSAccess from OpenSymphony [1] through [3] (A dead project now) 2) Acegi Security for Spring [4] I also point you to an article on IBM Developer Works for differences between container authorization (typically RBAC) and Data Driven Authorization (Instance Based). What we will provide: A simple library that does a mapping between roles structure (groups, nested roles etc) and instance based crud (bits representing CRUD). The key here is to keep it simple and fast. The library can have pluggable implementation strategies like hibernate, ldap, cache whatever. Integration for Drools, jBPM, Portal etc: Scott feels that they should integrate via Seam (same opinion from Proctor) because Seam is AS agnostic. They can integrate with JBoss Security to play nice with JBAS. Seam can then make use of the ACL implementation to provide other integration faces to different containers (WS, WL etc). References: OSAccess [1] http://wiki.opensymphony.com/display/OS/OSAccess [2] https://osaccess.dev.java.net/ [3]http://osdir.com/ml/java.open-symphony.devel/2002-07/msg00035.html (Note: Steve Ebersole in the mail) Acegi Security For Spring [4] http://www.acegisecurity.org/acegi-security/apidocs/index.html Look at the packages: org.acegisecurity.acl, org.acegisecurity.acls and their subpackages Authorization Concepts and Solutions for J2EE Applications [5]http://www.ibm.com/developerworks/websphere/library/techarticles/0607_i... View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4097956#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...