Architecture Overview

Jetspeed 2 security leverages J2EE authentication and authorization standards for both authentication and authorization through the implementation of a default LoginModule and a default authorization Policy.

Authentication establishes the identity of the user and populates the Subject with all the user principals. In a portal context, the populated Subject is added to the session in the org.apache.jetspeed.security.SecurityValve implementation. The Subject principals are then used to authorize the user's access to a given resource. It leverages JAAS authorization by checking the user's permission with the AccessController. More details on authorization are provided in the JAAS authorization section of this documentation.

The following diagram describes the high level security architecture:

Configuration files for each component areas are specified. For more information, see the Security Configuration section in the Deployment Guide.

Jetspeed security architecture is fully JAAS compliant. Developers can replace Jetspeed security architecture with their own LoginModule and Policy implementation. Jetspeed implementation provides management programming and user interfaces as well as an SPI model to facilitate its extension.