<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
<table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
<h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
<!-- To have a header image/logo replace the name below with your img tag -->
<!-- Email clients will render the images when the message is read so any image -->
<!-- must be made available on a public server, so that all recipients can load the image. -->
<a href="http://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
Re: AS7 Property File Based Login Modules
</h3>
<span style="margin-bottom: 10px;">
created by <a href="http://community.jboss.org/people/jason.greene%40jboss.com">Jason Greene</a> in <i>PicketBox Development</i> - <a href="http://community.jboss.org/message/586288#586288">View the full discussion</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><p>We need to be very careful about how user management is done, if it should be done at all for 7.0. Anything that stores state has to somehow be replicated across all the hosts in the domain. This opens the door to all kinds of problems:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><ul><li>Do you allow distribution of keystores which may have private keys? (very dangerous)</li><li>Do you store passwords in the domain.xml, and do you obfuscate them giving a false sense of security?</li><li>If it's not in domain.xml how is the state going to be replicated in a way thats consistent with domain.xml?</li></ul><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Also note that anyone serious about security, is probably going to prefer a centralized security server over a user password distribution model. In this case all of the work we do here would go to waste.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>In the meeting in Madison, we talked about how the likely easiest thing to do was to just have the domain.xml REFER to whatever the security store is, and then let the user decide how it gets on the box if it needs to be. They already have to install AS for every location, so that might as well drop a properties file if thats what they are using.</p></div>
<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">
<p style="margin: 0;">Reply to this message by <a href="http://community.jboss.org/message/586288#586288">going to Community</a></p>
<p style="margin: 0;">Start a new discussion in PicketBox Development at <a href="http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2088">Community</a></p>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>