Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt

As mentioned in the Nuxeo Analysis and the discussion of Nuxeo Issues, the Nuxeo framework incorporates support for both authentication (AuthN) and authorization (AuthZ).

As a minor form of advance preparation for the possibility, however remote, that the Services Team may encounter issues - such as documentation shortcomings, implementation difficulties, or missing capabilities - in this support, one widely and favorably discussed alternative in the Java security frameworks space appears to be:

  • JSecurity. This framework has been under active community development since its first release in April 2006, and was granted incubator status as a potential Apache Software Foundation community effort in June 2008. It is used by the Nexus and Grails projects, and the Nexus developers had many positive things to say about it. JSecurity is also currently slated to be integrated with Restlet 1.2.

    JSecurity is billed on its About page as "extremely easy to use and understand. An evaluating developer should grasp all the fundamentals within 10 minutes." (If true, this may enable us to fairly rapidly evaluate its design approach and capabilities, vis a vis Nuxeo's integral security support.) It is "POJO and interface based ... you can use it in any pojo container, servlet container, J2EE application server, or standalone application out of the box." This framework is licensed under an Apache 2.0 license, which may potentially be compatible with CollectionSpace licensing requirements.

    One potential concern might be the state of user documentation (outside the Javadocs, which are claimed to be excellent) as of the current 0.9x releases. There is a long and helpful, threaded discussion on that topic on the JSecurity-Dev list.

For a list of some other alternatives, one possible starting place is the list of notable security frameworks on The Open Web Application Security Project (OWASP)'s Java Security Table of Contents page. (Note that some of those frameworks may be integral components of web application frameworks, tightly bound to various containers, or have other, similar dependencies, and might not be useful in our context.) Two additions to that list are the set of security frameworks within core Java, particularly Java Authentication and Authorization Service (JAAS) (the other two related frameworks are for transport encryption, JSSE, and cryptography, JCE), and jGuard, which is built on top of JAAS.

Test Plan

This should describe how the new service implementation will be tested. The testing here could include white box style test, unit test, and/or integration tests.

...