Spring is a given
talking about "security" - AuthN, AuthZ
propose using Acegi as the framework for plugging in our backends
How do we decide, re: Acegi, etc
- what about impersonation? - yes
- can you access the user from any tier? - yes, from AOP
- it has momentum, need to eval our reqs against it vs. looking for something else
consensus: we need to dig more into Acegi
- norm will add requirements to wiki, everyone else add on
- Craig to add some comments comparing reqs to Acegi
- UA input sought, we need to experimentally verify
- some small apps coming up, Mike M to try it out, make developer notes on it in the wiki
once requirements are together, let's talk about backend pieces
Roles:
- bringing Java API up to snuff to support existing Roles capability
- using groups instead of usernames in the triad
- implicit authorizations (authZs derived from other data, how is that done?)
basics: can x do y with z? what can x do? who can do y? (this can have an auditing purpose) anything else?
- establishing these questions is essential to our framework, Jim to provide some points for discussion
TO DO:
- norm to add requiremnts, others to add to them
- craig acegi gap analysis
- mike to try acegi on upcoming apps
- jim to write up some Roles stuff for wiki
- set up machine for support site
- get SVN for framework
NEXT week:
- talk about how to fill this in - build stuff, etc.
- development process
- test app
- add your thoughts to development process in the wiki
note: who to talk to about UI? Mike Berger should be involved
discussion about bleeding edge UI tools vs. stable ones
- we will probably have the stable version supported by outside vendors
- but some people will be developing for the next version
general goal:
- have something by April that people can use it
- size the deliverable accordingly