Shibboleth Developers

> 4) Discussion items
>         -- IdP/JAAS support -- what to include in the shipping package

a bit more info on this....

after some experimenting with JAAS, I *think* that in order to enable 
it with an IdP within Tomcat, a site would have to: (note -- steps 
with other servlet containers are probably different)

1) pass a command line parameter to java, when starting the container

-Djava.security.auth.login.config=/usr/local/tomcat/conf/jaas.conf

2) modify Tomcat's server.xml file (Realm element, describing JAAS)

3) create a jaas.conf file (contents dependent on authn mechanism being used)

4) modify the web.xml file that accompanies the IdP (defining 
security-constraints, login-config, security-role's (maybe?)

5) create a login form, for use by JAAS (or some other equivalent -- 
popping upbasic authn dialog in browser?)

6) place the JAAS authn specific jar in tomcat/server/lib

my question is....

a) how many of these steps might we be able to bundle with the IdP?

b) how many are Shib-specific uses of JAAS, that we'll have to document?

c) is JAAS so under-documented, that we're going to have to document 
this whole mess?