Difference between revisions of "Talk:Declarative Access Control in Java"

From OWASP
Jump to: navigation, search
(General Discussion)
Line 6: Line 6:
  
 
==General Discussion==
 
==General Discussion==
global comment: this overview is very quick, but clear and efficient
+
* global comment: this overview is very quick, but clear and efficient
  
* Introduction: a remainder of the technical context could be useful - what
+
* Introduction: a remainder of the technical context could be useful - what piece of code do one needs for executing this declarative access control: a servlet container ? a J2EE platform ?
piece of code do one needs for executing this declarative access control: a
+
servlet container ? a J2EE platform ?
+
  
* first XML excerpt: no global tag is shown. If I have a real Web App descriptor
+
* first XML excerpt: no global tag is shown. If I have a real Web App descriptor without security, in which tag should I put the given xml code ?
without security, in which tag should I put the given xml code ?
+
  
* authentication methods 'Digest' ad 'Client cert' are evoked. How can they be
+
* authentication methods 'Digest' ad 'Client cert' are evoked. How can they be implemented, i.e what is required on the client side (algorithm, certificate with proper issuer) and on the server side (algorithm for digest and certificate control, access to a trusted certificate database)
implemented, i.e what is required on the client side (algorithm, certificate
+
with proper issuer) and on the server side (algorithm for digest and
+
certificate control, access to a trusted certificate database)
+
  
* 2 different 'transport guarantees' are evoked, 'integral' and 'confidential'.
+
* 2 different 'transport guarantees' are evoked, 'integral' and 'confidential'. What specific protocols, algorithms, and data, are required ?
What specific protocols, algorithms, and data, are required ?
+
  
 
* SSL is evoked. a pointer toward a SSL page could be useful
 
* SSL is evoked. a pointer toward a SSL page could be useful
  
* no extra link is given. Is it deliberate from the Owasp editor ? Where can I
+
* no extra link is given. Is it deliberate from the Owasp editor ? Where can I go and look if I need further information ?
go and look if I need further information ?
+

Revision as of 03:42, 14 November 2006

Status

Reviewed. Author to act on comments.

Reviewers

  • Pierre Parrend

General Discussion

  • global comment: this overview is very quick, but clear and efficient
  • Introduction: a remainder of the technical context could be useful - what piece of code do one needs for executing this declarative access control: a servlet container ? a J2EE platform ?
  • first XML excerpt: no global tag is shown. If I have a real Web App descriptor without security, in which tag should I put the given xml code ?
  • authentication methods 'Digest' ad 'Client cert' are evoked. How can they be implemented, i.e what is required on the client side (algorithm, certificate with proper issuer) and on the server side (algorithm for digest and certificate control, access to a trusted certificate database)
  • 2 different 'transport guarantees' are evoked, 'integral' and 'confidential'. What specific protocols, algorithms, and data, are required ?
  • SSL is evoked. a pointer toward a SSL page could be useful
  • no extra link is given. Is it deliberate from the Owasp editor ? Where can I go and look if I need further information ?