[jboss-as7-dev] security/web sucks, what can we change?

Fri Jun 17 12:40:45 EDT 2011


On 06/17/2011 01:20 PM, Bill Burke wrote:
>
> On 6/17/11 11:37 AM, David M. Lloyd wrote:
>> On 06/17/2011 09:56 AM, Bill Burke wrote:
>>> I'm not happy with the state of our security abstractions.
>> Me either.
>>
>> [...]
>>> So what do I want to do?
>>>
>>> Step 1:
>>>
>>> - Add ability to plug in a Security Domain type.  Currently its all
>>> hardcoded.  I don't see any mechanism in AS7 at the moment for plugging
>>> in IoC like information.  I don't see mechanism for discovering config
>>> files or a place to put config files in AS7.  This isn't a bad thing.  I
>>> think what we could do is allow people to add a
>>> "org.jboss.security.DomainMapping" file to META-INF/services directory
>>> of any jar.  When the Security Subsystem starts up it will search for
>>> all files of that name and load up a mapping file.
>> I'm not sure I'm following along with this.
>>
> Security domains don't use a classname anymore.  They use a code in the
> domain.xml file.  Right now that code to classname mapping is hard
> coded.  I'm suggesting a ServiceLoader-style class discovery that just
> maps code to classname.
>
>
You can still use a class name in the code attribute of security 
domains. Those hardcoded aliases were created for implementations we 
already provide along with AS so we can avoid using class names for our 
own classes.
>>> - Add ability to define JBossWeb Authenticators.  Tomcat/JBossWeb
>>> already has this ability inheritently built in, but unexposed.  Similar
>>> to DomainMapping, we'll have a org.jboss.web.Authenticators file that
>>> has a class/auth-method mapping.
>> Definitely, I think this is a great idea.  I'm not so sure about using a
>> "META-INF/services" file for anything other than ServiceLoader-style
>> class discovery though, but I'm not 100% sure that this is what you're
>> saying.
>>
> How else could you plug in a code->classname map?  I really liked the
> idea of keeping implementation details out of the domain.xml config.
>
>
>>> Step 2:
>>> I'd like to gut JBossWeb security and Picketbox security.  Redesign the
>>> whole damn thing.  Its just hacked and band-aided together.  Its stuck
>>> in ancient and obsolete user/password land needs to be more flexible.
>> Yeah for Remoting at least (and for other future stuff, like SSH, SFTP,
>> etc.) I'm looking at supporting public key (non-certificate)
>> authentication, and I'm a bit at a loss as to how I might reconcile this
>> with the username/password school of thought.
>>
> I've done a lot of work lately with digital signatures + HTTP in
> Resteasy project.  I'm implementing a signature-based approach to
> authentication and ran into a brick wall when trying to figure out how
> to integrate with AS7.
>

-- 
Marcus Moyses
JBoss Core Developer
JBoss by Red Hat