At this point my implementation is working under GF, the biggest hurdles I had were:
* avoid the implies recursion trap
* capture the previous Policy impl via Policy.getPolicy in my Policy implementation constructor
* delegate to the original Policy implementation in my implies method
* serialize the PC in their commit method
* load the PC's from my PCF upon initial access (if available)
* add a special case in my mapping to "asadmin" group to "admin-role"
I have not gotten back around to see where things stand on WAS, though I'm guardedly optimistic.
Frankly, I wish the "default mapping" option available in the GF JACC impl was a required feature so I could just use it in WAS (hint,hint).
That way I could handle the group-to-role mapping as a 1-to-1 and do any sort of custom group-fargling-monkey-shines in my JSR-196 implementation.
I'd also point out that my delegation model only works because I don't handle permission exclusions.
Since no one asked, I'll go ahead and say that I think it'd be better if the implies method returned an enum like: { Allowed, Denied, Undecided }, instead of a boolean where the application server would treat Undecided and Denied like it treats false and Allowed like it treats true.
This way delegating implementations could know if the original Policy denied the request or just didn't grant it.
Just my $0.07.
[Message sent by forum member 'brian_of_fortent' (brian_of_fortent)]
http://forums.java.net/jive/thread.jspa?messageID=278416