[jboss-as7-dev] security/web sucks, what can we change?

Bill Burke bburke at redhat.com
Fri Jun 17 12:20:18 EDT 2011 


On 6/17/11 11:37 AM, David M. Lloyd wrote:
> On 06/17/2011 09:56 AM, Bill Burke wrote:
>> I'm not happy with the state of our security abstractions.
>
> Me either.
>
> [...]
>> So what do I want to do?
>>
>> Step 1:
>>
>> - Add ability to plug in a Security Domain type.  Currently its all
>> hardcoded.  I don't see any mechanism in AS7 at the moment for plugging
>> in IoC like information.  I don't see mechanism for discovering config
>> files or a place to put config files in AS7.  This isn't a bad thing.  I
>> think what we could do is allow people to add a
>> "org.jboss.security.DomainMapping" file to META-INF/services directory
>> of any jar.  When the Security Subsystem starts up it will search for
>> all files of that name and load up a mapping file.
>
> I'm not sure I'm following along with this.
>

Security domains don't use a classname anymore.  They use a code in the 
domain.xml file.  Right now that code to classname mapping is hard 
coded.  I'm suggesting a ServiceLoader-style class discovery that just 
maps code to classname.


>> - Add ability to define JBossWeb Authenticators.  Tomcat/JBossWeb
>> already has this ability inheritently built in, but unexposed.  Similar
>> to DomainMapping, we'll have a org.jboss.web.Authenticators file that
>> has a class/auth-method mapping.
>
> Definitely, I think this is a great idea.  I'm not so sure about using a
> "META-INF/services" file for anything other than ServiceLoader-style
> class discovery though, but I'm not 100% sure that this is what you're
> saying.
>

How else could you plug in a code->classname map?  I really liked the 
idea of keeping implementation details out of the domain.xml config.


>> Step 2:
>> I'd like to gut JBossWeb security and Picketbox security.  Redesign the
>> whole damn thing.  Its just hacked and band-aided together.  Its stuck
>> in ancient and obsolete user/password land needs to be more flexible.
>
> Yeah for Remoting at least (and for other future stuff, like SSH, SFTP,
> etc.) I'm looking at supporting public key (non-certificate)
> authentication, and I'm a bit at a loss as to how I might reconcile this
> with the username/password school of thought.
>

I've done a lot of work lately with digital signatures + HTTP in 
Resteasy project.  I'm implementing a signature-based approach to 
authentication and ran into a brick wall when trying to figure out how 
to integrate with AS7.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the jboss-as7-dev mailing list