[security-dev] AS8 Security Design Discussions

Darran Lofthouse darran.lofthouse at jboss.com
Sat Feb 23 09:06:16 EST 2013

Hello Anil,

I have just replied to the PicketLink subsystem thread, for AS8 as we 
are looking at PicketLink IDM being the foundation for a unified 
security solution across the whole of the application server I think 
this is something we may want to start looking into sooner rather than 

I believe from other discussions I have seen yourself and Stefan are 
well under way regarding the whole internal propagation of security 
contexts within the application server and how this will also apply when 
working with security managers.

I am currently working on integrating the Undertow security framework 
with the existing realms so we can potentially switch to Undertow for 
domain management.  At that point a switch to the IDM strategy of the 
future would make sense - any effort to develop missing features can go 
into PicketLink IDM instead of into any temporary solutions.

At that point we can work on improving the integration with Remoting and 
the SASL mechanisms including reviewing if there are any alternative 
mechanisms we want to be enabling.

Apart from HornetQ that we need to look at still this really covers the 
two main entry points into the server to make transitioning to the 
actual application server processes easier.

As I see it then have some core tasks to solve that make more sense to 
solve starting with a PicketLink integration rather than before: -

*SSL Configuration* - This covers configuration from just wishing to 
encrypt traffic to wanting to make use of it as part of the 
authentication process - this I believe causes it to be closely related 
to the PicketLink integration.  We need this to be consistent across the 
application server.

*Identity Switching / Security Propagation* - This is something that 
having an IDM available will help greatly with, especially when it comes 
to making trust decisions - within AS8 I think this will be closely 
related to integration work with Remoting and the SASL mechanisms.

*Legacy JAAS Support* - With the move to PicketLink there is still going 
to be demand for support of LoginModules - plenty of discussions to be 
had here regarding where this actually fits.

Darran Lofthouse.

On 02/20/2013 04:43 PM, Anil Saldhana wrote:
> Hi All,
>     the AS community work has moved on to AS8 which will primarily target
> Java EE7.  This also means that we can actually take a look at changing
> the Security subsystem in the AS and incorporate changes that will help
> usability and deprecate functionality that are seldom used/low priority.
> Stefan, Darran and I have been discussing a few approaches in the last
> few weeks.  Some of the major changes that may affect the design is the
> deprecation of JAAS as primary authentication approach and bring in more
> of PicketLink IDM to the forefront.
> We can use this mailing list for discussions on AS8 security or we can
> use the AS7 dev list or do it in the forums.
> Regards,
> Anil
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev

More information about the security-dev mailing list