4 Replies Latest reply on Oct 23, 2007 6:10 AM by Pete Muir

    Why not JAAS for security?

    Hussein Baghdadi Novice

      Hi.
      Why JBoss Seam decided to go with JBoss Drools to implement security?
      Why not JAAS?
      Wouldn't this give the illusion of JBoss products lock-in?
      Some architects like to stick with standards and don't like to stray from them.
      Thanks.

        • 1. Re: Why not JAAS for security?
          fhh Expert

          AFAIK you cannot JAAS security policies do not allow you to grant permission depending on the runtime value of a parameter, e.g. a user may edit products that belong to "his" department.

          Regards

          Felix

          • 2. Re: Why not JAAS for security?
            Norman Richards Master

            JAAS is not a security implementation. It is an API for interacting with security implementations. Seam can interact with JAAS, but years of experience with JAAS has proven that it is not a very effective API. It works ok for the most basic role-based authorization, but it's too heavy and inflexible to be used directly for the type of authorization tasks we were targeting.

            Why did we just Drools? First, keep in mind that you only need to use Drools to implement fine-grained permissions. If you just need simple roles, then you don't need to use drools. A rule base makes sense to implement this type of thing. Everyone on the Seam team knows and likes the Drools guys. Drools works well, and it plays nicely with JBPM, which we also use. We'd always prefer to use standards-based technologies, but where no useful standard exists, we have to pick something.

            The good news is that Seam is a very flexible system. It should not be hard for someone to implement support for another rules engine. If there as any interest in that from the Seam community, I'm sure it will happen.

            • 3. Re: Why not JAAS for security?
              Hussein Baghdadi Novice

               

              "norman.richards@jboss.com" wrote:
              It works ok for the most basic role-based authorization, but it's too heavy and inflexible to be used directly for the type of authorization tasks we were targeting.

              What is the authorization type at JBoss Seam you are targeting?

              • 4. Re: Why not JAAS for security?
                Pete Muir Master

                Both simple (Identity, no dependency on Drools, can integrate with JAAS) and complex (RuleBasedIdentity, uses Drools to define authorization rules, can integrate with JAAS).

                Drools DOES NOT "implement" security in Seam.