Spring is a given
talking about "security" - AuthN, AuthZ
propose using Acegi as the framework for plugging in our backends
How do we decide, re: Acegi, etc
- what about impersonation? - yes
- can you access the user from any tier? - yes, from AOP
- it has momentum, need to eval our reqs against it vs. looking for something else
consensus: we need to dig more into Acegi
- norm will add requirements to wiki, everyone else add on
- Craig to add some comments comparing reqs to Acegi
- UA input sought, we need to experimentally verify
- some small apps coming up, Mike M to try it out, make developer notes on it in the wiki

once requirements are together, let's talk about backend pieces

Roles:
    - bringing Java API up to snuff to support existing Roles capability
    - using groups instead of usernames in the triad
    - implicit authorizations (authZs derived from other data, how is that done?)

basics: can x do y with z? what can x do? who can do y? (this can have an auditing purpose) anything else?
- establishing these questions is essential to our framework, Jim to provide some points for discussion
 

TO DO:
- norm to add requiremnts, others to add to them
- craig acegi gap analysis
- mike to try acegi on upcoming apps
- jim to write up some Roles stuff for wiki
- set up machine for support site
- get SVN for framework

NEXT week:
- talk about how to fill this in - build stuff, etc.
- development process
  - test app
- add your thoughts to development process in the wiki

note: who to talk to about UI? Mike Berger should be involved

discussion about bleeding edge UI tools vs. stable ones
- we will probably have the stable version supported by outside vendors
- but some people will be developing for the next version

general goal:
- have something by April that people can use it
- size the deliverable accordingly

  • No labels