[security-dev] [jboss-as7-dev] Web Application - Security Mechanism Selection

Anil Saldhana Anil.Saldhana at redhat.com
Tue Mar 12 11:32:28 EDT 2013

   I like all the options you have put forward here.  Would you create a 
wiki article with the
design choices you are outlining?

Also answers inline.

On 03/12/2013 08:44 AM, Darran Lofthouse wrote:
> Firstly my apologies for sending to three lists but this is a topic that
> has a lot of interested parties so I wanted to make sure all were covered.
> We are currently working on what is needed for Undertow to be integrated
> within AS8 - making good progress with the standard mechanisms as
> specified by the servlet specification but now reaching the more complex
> configuration scenarios which I wanted to discuss in this e-mail.
> The core of Undertow supports multiple authentication mechanisms being
> active for a given web application concurrently e.g. Client Cert, Digest
> and SPNEGO all at the same time.  Some of this is enabled for domain
> management already but for web app deployments the initial behaviour is
> that a single mechanism is associated based on the web.xml.
> So the configuration I am now looking at obtaining some feedback for is: -
>    - Defining new authentication mechanisms.
>    - Defining a set of these mechanisms.
>    - Where these definitions should live, webapp? subsystem? both?
> Initially the integration will be with the existing JAAS domains as that
> is what exists today, once we have PicketLink available in a subsystem
> and the work David is working on regarding identity/request association
> then we will also migrate to those as well.
JAAS can be one of the authentication mechanisms.  Ideally we should
look at providing an SPI. I presume we will have an SPI.
> For the moment a web application is also associated with a single
> security domain - once we migrate to PicketLink it will be associated
> with a single defintion there.
> * Historic Configuration *
> Up until JBoss AS 6 it was possible for single authentication mechanisms
> to be defined within the JBoss Web configuration, within the web.xml the
> custom auth-method could then be referenced to enable the new mechanism.
>   From JBoss AS 7 the authentication mechanisms were defined by defining
> the mechanism as a valve within the jboss-web.xml - the presence of the
> mechanism was then detected during deployment causing the addition of a
> mechanism based on the auth-method to be skipped.
> In both cases the jboss-web.xml descriptor is used to associate the web
> application with the security domain.
> * AS8 Configuration *
> Users are already used to providing a lot of their configuration within
> the deployments - maybe even including PicketLink definitions where they
> do not want to use definitions defined within the AS config.
The configuration in the web app deployment should only be used to
override the configuration in the domain model IMO.
> However I have also seen demand from users to be able to take a ready
> built war and deploy it to development or production and have
> appropriate security settings defined in each environment.
> So for this reason I think we should take the approach of allowing full
> security configuration within the deployment but allowing for subsystem
> defined overrides to override the defined configuration at deployment time.
> I think this leads us to three areas of configuration: -
> 1 - Mechanism Definition
> This would be something simple along the lines of: -
>     <mechanism auth-method="..." module="..." class="...">
> 2 - Security Compound
> This needs a good name to be selected but the idea is the compound is an
> ordered set of authentication mechanisms associated with a domain e.g.
> <security-compound name="..." domain="...">
>     <mechanism auth-method="..." />
>     <mechanism module="..." class="..." />
> </security-compound>
> These mechanisms can either be a reference to previously defined
> mechanisms or can be a new definition that applies only to that compound.
> So far #1 and #2 can either be defined in a subsystem to be referenced
> subsequently or if these are defined within the jboss-web.xml descriptor
> they will apply to the web application being deployed.
> For #1 we will have defined internally the set of standard mechanisms
> and maybe a couple of additional mechanisms - the configuration can then
> be used to completely replace them with alternative implementations.
> 3 - Security Overrides
> This is something I am considering to live just within a subsystem, one
> or more fields are defined to match against web applications as they are
> being deployed and if there is a match the specified security-compound
> is applied to the web application instead of the definition within it's
> deployment descriptors.
> <security-override auth-method="..." war-name="..."
> security-domain="..." security-override="..." />
> The idea being if auth-method, war-name or security-domain match the
> values currently defined for the web app being deployed then the
> security settings are replaced with the specified security-compound.
> A couple of areas that I still need to look into in more details are how
> is additional configuration passed to the individual mechanisms
> including possible service injection and additional areas to override
> from the web.xml such as FORM or role mapping definitions but initially
> I want to focus on how the mechanisms are specified and associated and
> then build from there to add the additional settings.
> * Legacy Valve Support *
> I am also working on wrapping existing valves so that they can be used
> within Undertow when deployments are deployed to AS8 - however I see
> this as an alternative to the mechanisms supported by Undertow.
> As a valve would be used for legacy compatibility this would mean that
> previous functionality can be retained but moving forwards for better
> integration the valve would need to be migrated.
Very low priority. Maybe for backwards compatibility. But this will mean
you will be getting a lot of the older web code. If they have to deploy 
a legacy
valve, why not they rewrite the valve to the newer SPI?

> Regards,
> Darran Lofthouse.

More information about the security-dev mailing list