Jetspeed 2 security leverages J2EE authentication and authorization standards for both authentication
and authorization through the implementation of a default LoginModule
and a default authorization
Policy
.
Authentication establishes the identity of the user and populates the Subject
with all
the user principals. In a portal context, the populated Subject
is added to the session
in the org.apache.jetspeed.security.SecurityValve
implementation. The Subject
principals are then used to authorize the user's access to a given resource. It leverages JAAS authorization
by checking the user's permission with the
AccessController. More details
on authorization are provided in the JAAS authorization section of this documentation.
The following diagram describes the high level security architecture:
Configuration files for each component areas are specified. For more information, go to the documentation section on configuration.
Jetspeed security architecture is fully JAAS compliant. Developers can replace Jetspeed security
architecture with their own LoginModule
and Policy
implementation. Jetspeed
implementation provides management programming and user interfaces as well as an SPI model to facilitate
its extension.