On 19/04/2016 19:22, Shawn McKinney wrote:

      

        
On Apr 19, 2016, at 16:34:27,Achilleas Mantzios wrote:

I admit I haven’t done my homework regarding the standards (the literature is just huge), maybe I was hasty in using the term RBAC above, but anyway what does Fortress/RBAC give out of the box that our solution wouldn’t, I mean you wouldn’t mind giving a very rough overview ?


      

      
Not knowing what your solution provides it's not possible for me to give you a comparison and in any case that’s a question for you to decide.  

    

    Hello Shawn, nice seeing you again! We had talked back in 2014, but
    didn't have a chance to move on with our goals back then.

    Let me repeat our needs, having to do mostly with SOX compliance :

    

    "

    we have an inhouse application running on Java EE, which we
      have been developing for the last 16 years. We use mostly classic
      form-based j2ee declarative security. We have been using IBM Lotus
      Notes Domino Server and its bundled LDAP server, by writing our
      own login module for Jboss. But lotus's LDAP is of limited
      potential. Now we need to have the following features :

     - support password strength and also communicate relevant
      error codes/messages back to the calling client (e.g. jboss login
      module)

     - handle correctly while in period of passwd expiration
      warning (error codes/messages)

     - handle correctly after period of passwd expiration, but
      within the grace limit (error codes/messages)

     - support password history (error codes/messages)

     - handle correctly after period of passwd expiration, and
      also after grace limit (error codes/messages)

     - account explicitly locked (error codes/messages)

     - handle pwdMustChange

        & pwdReset (error codes/messages)

     - account explicitly locked after pwdMaxFailure

      (error codes/messages)

    "

    

    

      

If you want to understand fortress, first understand its apis, there are links to javadoc descs at the bottom of this page:

https://directory.apache.org/fortress/overview.html

If after that you are still interested, checkout the tutorials:

- http://github.com/shawnmckinney/apache-fortress-demo
- http://github.com/shawnmckinney/role-engineering-sample
- http://github.com/shawnmckinney/wicket-sample
- http://github.com/shawnmckinney/fortress-saml-demo

or some of the collateral that is here:

- http://iamfortress.net/2015/06/11/what-is-delegated-administration/
- http://iamfortress.net/2015/03/13/enabling-java-ee-and-fortress-security-inside-an-apache-wicket-web-app/
- http://iamfortress.net/2015/03/05/the-seven-steps-of-role-engineering/
- http://iamfortress.net/2015/02/16/apache-fortress-end-to-end-security-tutorial/
- http://iamfortress.net/2014/11/24/using-role-for-access-control-is-not-rbac/


    

    Thanks, I surely must read those.

    

      
Shawn


    

    

    

    
-- 
Achilleas Mantzios
IT DEV Lead
IT DEPT
Dynacom Tankers Mgmt