Hi Brian,
like it was implied in my previous post,i'm not part of the Xwiki team, but a xwiki user.
firstly, i want to say that i respect the great work of the Xwiki team and community! good job guys!
about the jGuard integration:
i propose to talk about Xwiki security architecture on this forum, and if the discussion become mainly focused on jGuard, we will continue this topic on jGuard forum.
so, if the XwikiService is the main interface to securize, applying authorization with JAAS through jGuard will be easy to do:all you have to do is to put at start of the related methods this java code  (from j2se, not jGuard, that's why we can say jGuard use the standard way):
AccessController.checkPermission(yourcustomPermission).
the custom permisison can be a XwikiPermission if you want.
if you want this control only applies when the securityManager is enabled, you can do the test before this code with :
if(System.getSecurityManager()!=null)'
AccessController.checkPermission(yourCustomPermission);
}

this code will calls the underlying java security architecture to know if the user has got the permission to access to the ressource.
a securityException will be raised if the permission is denied.
jGuard provides a webapp example illustrating how to securize a webapp: it demonstrates how to do it using a REST strategy(all ressources  access controls are protected through URLs with URLPermissions, and not deeply in the specific APIs...);but it can be done in a invasive way like described in this post.
like the code provided above calls the java security architecture, you need to authenticate through jGuard and JAAS to have permissions granted to authenticated user.
so, the big work will be to match the access control model with the one used by jGuard (jGuard uses the standard access control model called RBAC).
have you any precisions about the Xwiki access control model to helps you?how Xwiki users are authenticated, and how XWiki manage them?
i hope some answers to this post will helps you (and me!) to better understnad the Xwiki architecture, and access control model.

cheers,

Charles(jGuard team).
http://www.jguard.net
On 5/9/06, THOMAS, BRIAN M (SBCSI) < bt0008@att.com> wrote:
Thanks, Charles.  I left a similar request as a comment on your wiki.  I am actively working on a JAAS implementation of XWiki's interfaces.  Or rather, I have  begun by subclassing the XWiki*ServiceImpl classes because that's how some others are done and there may  be things that XWiki needs there.  It may actually be that it makes more sense just to implement the interfaces directly.
 
This is probably not the venue for continued discussion in this vein, so I'll do this directly, but thought I'd let the list know that this is going on in case anyone wants to share in the effort and results.
 
I'm not on the developers list; are you, Charles?  Would that be the best place to carry on?  I suppose if you didn't intend it to be an "official" part of XWiki it might not be, but on the other hand it looks like a good place for the XWiki developers to start if nothing else.  The only jGuard-specific code should be connected only by the configuration files.
 
Alternatively, perhaps the jGuard wiki would be a good place to discuss and develop the overall design.  Does that sound like a good idea?
 
I'm sorry for the delay in responding; I started this reply on Friday and then forgot about it over the weekend.  Though I never completed it, I found it, marked unread, in my Sent Items folder...
 
brain[sic]
-----Original Message-----
From: charles gay [mailto:charles.gay@gmail.com]
Sent: Thursday, May 04, 2006 3:13 AM
To: xwiki-users@objectweb.org
Subject: Re: [xwiki-users] JAAS Integration with XWiki

Hi,
i'm part of the jGuard project and a user of Xwiki (through our website www.jguard.net hosted and powered by XWiki).
jGuard implements JAAS and provide an easy way to use it in a webapp context.
that's right that Xwiki security apis differs from the JAAS apis.
but the concept involved in the Xwiki apis, are closed of the JAAS and jGuard ones.
if you've got some interest by adapting the XWiki apis to JGuard (an JAAS implicitly), i can help you to do it.
but this adapter will not be an "official" Xwiki way....

hope it helps,

Charles GAY(jGuard team).

On 4/25/06, THOMAS, BRIAN M (SBCSI) <bt0008@att.com> wrote:
We are standardizing on the Java Authentication and Authorization
Service (JAAS).  I thought I heard that XWiki supports the Pluggable
Authentication Modules (PAM) standard, but haven't found any reference
to it in the docs.  Further, there are some articles out about
integrating JAAS into Tomcat, which is another thing to think about.  We
actually are considering at least two methods here - a centralized PIN
server and a RADIUS server for SecurID access, and both have clients
that implement the JAAS interfaces.

There are a couple of strategies that I could probably try:  one is just
to use the JAAS/Tomcat integration route.  That would seem to give the
most bang-per-buck, but that would (I think) not allow controls at the
level of granularity that XWiki does, or would actually take controls
away from the XWiki rights system.

Another (actually my first idea) is to implement the various
com.xpn.xwiki.user.api interfaces (XWikiAuthService, XWikiGroupService,
and XWikiRightService) with JAAS calls.

Anyone have any experience with this?

brain[sic]




--
You receive this message as a subscriber of the xwiki-users@objectweb.org mailing list.
To unsubscribe: mailto:xwiki-users-unsubscribe@objectweb.org
For general help: mailto: sympa@objectweb.org?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws





--
You receive this message as a subscriber of the xwiki-users@objectweb.org mailing list.
To unsubscribe: mailto:xwiki-users-unsubscribe@objectweb.org
For general help: mailto: sympa@objectweb.org?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws