[security-dev] AS8 Security Design Discussions
darran.lofthouse at jboss.com
Sat Feb 23 09:06:16 EST 2013
I have just replied to the PicketLink subsystem thread, for AS8 as we
are looking at PicketLink IDM being the foundation for a unified
security solution across the whole of the application server I think
this is something we may want to start looking into sooner rather than
I believe from other discussions I have seen yourself and Stefan are
well under way regarding the whole internal propagation of security
contexts within the application server and how this will also apply when
working with security managers.
I am currently working on integrating the Undertow security framework
with the existing realms so we can potentially switch to Undertow for
domain management. At that point a switch to the IDM strategy of the
future would make sense - any effort to develop missing features can go
into PicketLink IDM instead of into any temporary solutions.
At that point we can work on improving the integration with Remoting and
the SASL mechanisms including reviewing if there are any alternative
mechanisms we want to be enabling.
Apart from HornetQ that we need to look at still this really covers the
two main entry points into the server to make transitioning to the
actual application server processes easier.
As I see it then have some core tasks to solve that make more sense to
solve starting with a PicketLink integration rather than before: -
*SSL Configuration* - This covers configuration from just wishing to
encrypt traffic to wanting to make use of it as part of the
authentication process - this I believe causes it to be closely related
to the PicketLink integration. We need this to be consistent across the
*Identity Switching / Security Propagation* - This is something that
having an IDM available will help greatly with, especially when it comes
to making trust decisions - within AS8 I think this will be closely
related to integration work with Remoting and the SASL mechanisms.
*Legacy JAAS Support* - With the move to PicketLink there is still going
to be demand for support of LoginModules - plenty of discussions to be
had here regarding where this actually fits.
On 02/20/2013 04:43 PM, Anil Saldhana wrote:
> Hi All,
> the AS community work has moved on to AS8 which will primarily target
> Java EE7. This also means that we can actually take a look at changing
> the Security subsystem in the AS and incorporate changes that will help
> usability and deprecate functionality that are seldom used/low priority.
> Stefan, Darran and I have been discussing a few approaches in the last
> few weeks. Some of the major changes that may affect the design is the
> deprecation of JAAS as primary authentication approach and bring in more
> of PicketLink IDM to the forefront.
> We can use this mailing list for discussions on AS8 security or we can
> use the AS7 dev list or do it in the forums.
> security-dev mailing list
> security-dev at lists.jboss.org
More information about the security-dev