<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Any objections to adding the access
control filters to the core module?<br>
<br>
On 05/02/2013 11:38 AM, Anil Saldhana wrote:<br>
</div>
<blockquote cite="mid:5182969F.8080305@redhat.com" type="cite">
<div class="moz-text-plain" wrap="true" graphical-quote="true"
style="font-family: -moz-fixed; font-size: 12px;"
lang="x-unicode">
<pre wrap="">That is fine. Timo should be secured with PicketLink Core alone. Right
now, authz classes are the missing bits.
On 05/02/2013 10:56 AM, Pedro Igor Silva wrote:
</pre>
<blockquote type="cite" style="color: #C0C0C0;">
<pre wrap=""><span class="moz-txt-citetags">> </span>I remember Shane saying that he is going to take a look at the permissions api, mainly after the latest changes to the idm/core apis.
<span class="moz-txt-citetags">></span>
<span class="moz-txt-citetags">> </span>I can start looking at that too, if necessary. Maybe providing some test cases to see the gaps (also provide some tests for the authentication stuff).
<span class="moz-txt-citetags">></span>
<span class="moz-txt-citetags">> </span>----- Original Message -----
<span class="moz-txt-citetags">> </span>From: "Anil Saldhana" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:Anil.Saldhana@redhat.com"><Anil.Saldhana@redhat.com></a>
<span class="moz-txt-citetags">> </span>To: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a>
<span class="moz-txt-citetags">> </span>Sent: Thursday, May 2, 2013 12:31:26 PM
<span class="moz-txt-citetags">> </span>Subject: Re: [security-dev] Authorization constructs in PicketLink3
<span class="moz-txt-citetags">></span>
<span class="moz-txt-citetags">> </span>Right Pete - I do mention in the thread. I was referring to users
<span class="moz-txt-citetags">> </span>wanting alternative authorization mechanisms such as
<span class="moz-txt-citetags">> </span>that driven by Drools (as in Seam2) and maybe XACML. <span class="moz-smiley-s1" title=":)"><span>:)</span></span> Ideally, the
<span class="moz-txt-citetags">> </span>default authz mechanism by the rbac filter
<span class="moz-txt-citetags">> </span>should be the permissions module.
<span class="moz-txt-citetags">></span>
<span class="moz-txt-citetags">> </span>On 05/02/2013 10:24 AM, Pete Muir wrote:
</pre>
<blockquote type="cite" style="color: #C0C0C0;">
<pre wrap=""><span class="moz-txt-citetags">>> </span>Isn't this what the permissions module is for (API/SPI for authorisation)? I know it's not finished, but I think we have time to do that for 3.0…
<span class="moz-txt-citetags">>></span>
<span class="moz-txt-citetags">>> </span>We then add things like the RBAC filter delegating to it.
<span class="moz-txt-citetags">>></span>
<span class="moz-txt-citetags">>> </span>On 2 May 2013, at 16:21, Anil Saldhana <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:Anil.Saldhana@redhat.com"><Anil.Saldhana@redhat.com></a> wrote:
<span class="moz-txt-citetags">>></span>
</pre>
<blockquote type="cite" style="color: #C0C0C0;">
<pre wrap=""><span class="moz-txt-citetags">>>> </span>That is what I meant by pluggable. But we need to be aware of
<span class="moz-txt-citetags">>>> </span>dependencies getting pulled into core. We
<span class="moz-txt-citetags">>>> </span>do not want a dependency on drools, for example, to use core. If users
<span class="moz-txt-citetags">>>> </span>want some particular authz stuff,
<span class="moz-txt-citetags">>>> </span>they should be able to pull in those dependencies.
<span class="moz-txt-citetags">>>></span>
<span class="moz-txt-citetags">>>> </span>I do not know yet how to get that done. <span class="moz-smiley-s3" title=";)"><span>;)</span></span>
<span class="moz-txt-citetags">>>></span>
<span class="moz-txt-citetags">>>> </span>On 05/02/2013 09:54 AM, Pedro Igor Silva wrote:
</pre>
<blockquote type="cite" style="color: #C0C0C0;">
<pre wrap=""><span class="moz-txt-citetags">>>>> </span>Maybe something we started with PicketBox, using Drools for rule-based authz, pluggable authz managers, etc.
<span class="moz-txt-citetags">>>>></span>
<span class="moz-txt-citetags">>>>> </span>JBoss Seam 2 also supports Drools for authorization ....
<span class="moz-txt-citetags">>>>></span>
<span class="moz-txt-citetags">>>>> </span>----- Original Message -----
<span class="moz-txt-citetags">>>>> </span>From: "Anil Saldhana" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:Anil.Saldhana@redhat.com"><Anil.Saldhana@redhat.com></a>
<span class="moz-txt-citetags">>>>> </span>To: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a>
<span class="moz-txt-citetags">>>>> </span>Sent: Thursday, May 2, 2013 11:38:40 AM
<span class="moz-txt-citetags">>>>> </span>Subject: Re: [security-dev] Authorization constructs in PicketLink3
<span class="moz-txt-citetags">>>>></span>
<span class="moz-txt-citetags">>>>> </span>We have to remember the permission model work using IDM.
<span class="moz-txt-citetags">>>>></span>
<span class="moz-txt-citetags">>>>> </span>I wonder if this filter can use pluggable authorization mechanisms, then
<span class="moz-txt-citetags">>>>> </span>maybe the perfect start.
<span class="moz-txt-citetags">>>>></span>
<span class="moz-txt-citetags">>>>> </span>On 05/02/2013 09:36 AM, Pedro Igor Silva wrote:
</pre>
<blockquote type="cite" style="color: #C0C0C0;">
<pre wrap=""><span class="moz-txt-citetags">>>>>> </span>I was looking at the org.picketlink.authentication.web.AuthenticationFilter. This class resides on core-api and we did it given some input from AG for DIGEST and BASIC authentication.
<span class="moz-txt-citetags">>>>>></span>
<span class="moz-txt-citetags">>>>>> </span>Wondering if the authz filter we did for TIMO does not fit in the same case.
<span class="moz-txt-citetags">>>>>></span>
<span class="moz-txt-citetags">>>>>> </span>----- Original Message -----
<span class="moz-txt-citetags">>>>>> </span>From: "Anil Saldhana" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:Anil.Saldhana@redhat.com"><Anil.Saldhana@redhat.com></a>
<span class="moz-txt-citetags">>>>>> </span>To: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a>
<span class="moz-txt-citetags">>>>>> </span>Sent: Tuesday, April 30, 2013 11:42:25 AM
<span class="moz-txt-citetags">>>>>> </span>Subject: [security-dev] Authorization constructs in PicketLink3
<span class="moz-txt-citetags">>>>>></span>
<span class="moz-txt-citetags">>>>>> </span>Shane/Pedro - we should start discussing the constructs for
<span class="moz-txt-citetags">>>>>> </span>authorization in PL3. We have a few options on the table. We need to
<span class="moz-txt-citetags">>>>>> </span>figure out what we need such that for PL3 users, we have some options.
<span class="moz-txt-citetags">>>>>> </span>Lets use this thread to figure out the various options/strategies.
<span class="moz-txt-citetags">>>>>></span>
<span class="moz-txt-citetags">>>>>></span>
<span class="moz-txt-citetags">>>>>></span>
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">_______________________________________________
security-dev mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/security-dev">https://lists.jboss.org/mailman/listinfo/security-dev</a></pre>
</div>
</blockquote>
<br>
</body>
</html>