[security-dev] Authorization constructs in PicketLink3

Pedro Igor Silva psilva at redhat.com
Thu May 2 11:56:34 EDT 2013


I remember Shane saying that he is going to take a look at the permissions api, mainly after the latest changes to the idm/core apis.

I can start looking at that too, if necessary. Maybe providing some test cases to see the gaps (also provide some tests for the authentication stuff).

----- Original Message -----
From: "Anil Saldhana" <Anil.Saldhana at redhat.com>
To: security-dev at lists.jboss.org
Sent: Thursday, May 2, 2013 12:31:26 PM
Subject: Re: [security-dev] Authorization constructs in PicketLink3

Right Pete - I do mention in the thread. I was referring to users 
wanting alternative authorization mechanisms such as
that driven by Drools (as in Seam2) and maybe XACML. :)  Ideally, the 
default authz mechanism by the rbac filter
should be the permissions module.

On 05/02/2013 10:24 AM, Pete Muir wrote:
> Isn't this what the permissions module is for (API/SPI for authorisation)? I know it's not finished, but I think we have time to do that for 3.0…
>
> We then add things like the RBAC filter delegating to it.
>
> On 2 May 2013, at 16:21, Anil Saldhana <Anil.Saldhana at redhat.com> wrote:
>
>> That is what I meant by pluggable. But we need to be aware of
>> dependencies getting pulled into core. We
>> do not want a dependency on drools, for example, to use core. If users
>> want some particular authz stuff,
>> they should be able to pull in those dependencies.
>>
>> I do not know yet how to get that done. ;)
>>
>> On 05/02/2013 09:54 AM, Pedro Igor Silva wrote:
>>> Maybe something we started with PicketBox, using Drools for rule-based authz, pluggable authz managers, etc.
>>>
>>> JBoss Seam 2 also supports Drools for authorization ....
>>>
>>> ----- Original Message -----
>>> From: "Anil Saldhana" <Anil.Saldhana at redhat.com>
>>> To: security-dev at lists.jboss.org
>>> Sent: Thursday, May 2, 2013 11:38:40 AM
>>> Subject: Re: [security-dev] Authorization constructs in PicketLink3
>>>
>>> We have to remember the permission model work using IDM.
>>>
>>> I wonder if this filter can use pluggable authorization mechanisms, then
>>> maybe the perfect start.
>>>
>>> On 05/02/2013 09:36 AM, Pedro Igor Silva wrote:
>>>> I was looking at the org.picketlink.authentication.web.AuthenticationFilter. This class resides on core-api and we did it given some input from AG for DIGEST and BASIC authentication.
>>>>
>>>> Wondering if the authz filter we did for TIMO does not fit in the same case.
>>>>
>>>> ----- Original Message -----
>>>> From: "Anil Saldhana" <Anil.Saldhana at redhat.com>
>>>> To: security-dev at lists.jboss.org
>>>> Sent: Tuesday, April 30, 2013 11:42:25 AM
>>>> Subject: [security-dev] Authorization constructs in PicketLink3
>>>>
>>>> Shane/Pedro - we should start discussing the constructs for
>>>> authorization in PL3.  We have a few options on the table. We need to
>>>> figure out what we need such that for PL3 users, we have some options.
>>>> Lets use this thread to figure out the various options/strategies.
>>>>
>>>>
_______________________________________________
security-dev mailing list
security-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev



More information about the security-dev mailing list