Opportunitities for Enhanced AAA for Lenya

Status of this document: RT (Random Thought)

Introduction

At this point in time (between the release of 1.2.2 and 2.0) Lenya uses an entirely home grown AAA (read: triple-A, Authentication and Authorization), which is basically based on all AAA relevant information stored in files on the filesystem. For a walkthrough see [AuthenticationAndAuthorizationBackgrounder].

This leaves a lot of room for improvement to meet very different people's and organisations needs.

Potential enhancements

• JAAS
• Container Managed Security
• Single-Sign-On solutions
  

Links

• http://www.orablogs.com/fnimphius/archives/000416.html (Good overall intro!)
• http://www.jcp.org/en/jsr/detail?id=115 JSR 115: JavaTM Authorization Contract for Containers]
• http://www.jcp.org/en/jsr/detail?id=196 JSR 196: JavaTM Authentication Service Provider Interface for Containers
• Servlet container - getRemoteUser()
• JAAS http://java.sun.com/products/jaas/overview.html
  • read the White Paper and
  • if you're not familliar with PAM: The PAM documentation linked there
  • http://www.josso.org/ (Java Open Single Sign-On Project), based on JAAS
• http://www.theserverside.com/news/thread.tss?thread_id=12311 SAML
• http://osoco.sourceforge.net/cowarp/protection.html Cocoon is about to use this; it's non-JAAS yet but document centric
• http://tp.its.yale.edu/tiki/tiki-index.php?page=CentralAuthenticationService