ApacheCon US 2008 Session

Geronimo Security, now and in the future

Security can be divided into negotiation for credentials, credential validation, and authorization.

First we'll look at setting up and swapping credential validation in geronimio, a simple process everyone has to do to secure an application. As an example we'll show how to use a local file based realm in development switching to a ldap or jdbc based realm for production.

Then we'll look at the JACC authorization framework where the security constraints in the javaee deployment descriptors and annotations are translated into java permissions and used, together with a principal-role mapping, to authorize requests at runtime. If time allows we'll look at swapping JACC implementations. We'll look at extending the JACC concepts to other authorization decisions such as in portal frameworks.

Finally we'll look at the upcoming JASPI support that allows pluggable negotiation for credentials and see how it can be used to plug openid authentication into a web app to replace basic or form based authentication.