I first saw this on CNET in an article entitled – BEA jumps on security bandwagon. In a nutshell, the BEA WebLogic Enterprise Security product is an application security infrastructure solution that uses a service-oriented approach to enable security services for your applications.
The product is based on most of the stuff that came over as part of the CrossLogix acquisition. The interesting thing for me on this whole story was how security is playing an integral part of the application development process and how companies like BEA are jumping in this market. IBM has also been buying companies to complete its security/identity story in the Tivoli suite of products with TIM & TAM.
Another interesting part of the press release was that JAAS was not mentioned once. JAAS or the Java Authentication and Authorization Service is a package integrated into Java 1.4 that enables services to authenticate and enforce access controls upon users. It implements a standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization.
JAAS was a good first step for authentication and authorization for Java applications, but there are several limitations of the framework and I’m not sure what the future holds. It seems odd to write all this JAAS code for applications that are running inside a web/ejb container when the container has all of these services.
I haven’t been lurking in the comp.lang.java.security newsgroup and so I don’t know what the future holds for JAAS. I guess I’ll have to go through the 15,000+ posting that are waiting in my newsreader.