9:56 a.m.
I'm not happy with the state of our security abstractions.
* For one, JBossWeb is stuck in Tomcat land and there are so many hacks
to propagate configuration/service objects to the various valves and
filters.
* Tomcat Realm and JBoss Security Domain are stuck in user/password
land. THere are a few protocols (i.e.SAML) that are not password
driven, (and maybe not even username driven). If you want to hook in
these protocols, you have to tunnel information through Threadlocals or
the PrincipalContext.
* There is no clear separation of concerns from Valve, Realm, and
Security Domain. Security Domain was originally intended to be a
user/password, user/role mapping. Some plugins are starting to bleed in
protocol information. Valves set Tomcat specific principal information.
JbossWebRealm bridges to the security domain and also sets JBoss
specific principal information.
* It is impossible to plug in a new Security Domain type at the moment.
* It is impossible to plug in a custom auth-method. (Remy is wrong
about not wanting to put this in.)
* If you want to plug in your own protocol it is a mess to do it. If
you look at picketlink, configuration is a combination of editing the
security domain config, adding tomcat valve, adding filters to web.xml.
So what do I want to do?
Step 1:
- Add ability to plug in a Security Domain type. Currently its all
hardcoded. I don't see any mechanism in AS7 at the moment for plugging
in IoC like information. I don't see mechanism for discovering config
files or a place to put config files in AS7. This isn't a bad thing. I
think what we could do is allow people to add a
"org.jboss.security.DomainMapping" file to META-INF/services directory
of any jar. When the Security Subsystem starts up it will search for
all files of that name and load up a mapping file.
- Add ability to define JBossWeb Authenticators. Tomcat/JBossWeb
already has this ability inheritently built in, but unexposed. Similar
to DomainMapping, we'll have a org.jboss.web.Authenticators file that
has a class/auth-method mapping.
I am already prototyping this stuff in my git branch. I'm pretty sure
it can require zero changes to JBossWeb which should avoid getting Remy
all flustered.
Step 2:
I'd like to gut JBossWeb security and Picketbox security. Redesign the
whole damn thing. Its just hacked and band-aided together. Its stuck
in ancient and obsolete user/password land needs to be more flexible.
- I think it would be very interesting to allow the Security Domain to
handle your authentication and authorization needs and have JBossWeb,
EJB, etc, delegate to the SecurityDomain. Allow the security domain to
view the HttpServletRequest, extract information, change the request,
etc. With this type of model your admin could deploy a new
authentication/authorization model onto an existing deployed
application. For exmaple, an app might start with user/password, but
later might convert the app to be TOTP/Soft/hard token based as they
roll out hard/soft tokens to their user base. There would be a new
auth-method named "JBOSS-SECURITY-DOMAIN". We'd need some serious
discussion on this before moving forward.
- Alternatively (and this is a must have without the above), the
SecurityDomain needs to become a more generic store of information other
than user/password user/role mappings. I writing some protocols that
use public-keys and a valve would need to query the security domain for
this key. A SAML valve may want to query the security domain for
assertions. You get the idea.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:37 a.m.
On 06/17/2011 09:56 AM, Bill Burke wrote:
I'm not happy with the state of our security abstractions.
Me either.
[...]
So what do I want to do?
Step 1:
- Add ability to plug in a Security Domain type. Currently its all
hardcoded. I don't see any mechanism in AS7 at the moment for plugging
in IoC like information. I don't see mechanism for discovering config
files or a place to put config files in AS7. This isn't a bad thing. I
think what we could do is allow people to add a
"org.jboss.security.DomainMapping" file to META-INF/services directory
of any jar. When the Security Subsystem starts up it will search for
all files of that name and load up a mapping file.
I'm not sure I'm following along with this.
- Add ability to define JBossWeb Authenticators. Tomcat/JBossWeb
already has this ability inheritently built in, but unexposed. Similar
to DomainMapping, we'll have a org.jboss.web.Authenticators file that
has a class/auth-method mapping.
Definitely, I think this is a great idea. I'm not so sure about using a
"META-INF/services" file for anything other than ServiceLoader-style
class discovery though, but I'm not 100% sure that this is what you're
saying.
I am already prototyping this stuff in my git branch. I'm pretty
sure
it can require zero changes to JBossWeb which should avoid getting Remy
all flustered.
Always a plus :)
Step 2:
I'd like to gut JBossWeb security and Picketbox security. Redesign the
whole damn thing. Its just hacked and band-aided together. Its stuck
in ancient and obsolete user/password land needs to be more flexible.
Yeah for Remoting at least (and for other future stuff, like SSH, SFTP,
etc.) I'm looking at supporting public key (non-certificate)
authentication, and I'm a bit at a loss as to how I might reconcile this
with the username/password school of thought.
I don't have a lot of time now to expound on this but I think it's a
good initiative and I'd like to see where it goes.
--
- DML
11:20 a.m.
On 6/17/11 11:37 AM, David M. Lloyd wrote:
On 06/17/2011 09:56 AM, Bill Burke wrote:
> I'm not happy with the state of our security abstractions.
Me either.
[...]
> So what do I want to do?
>
> Step 1:
>
> - Add ability to plug in a Security Domain type. Currently its all
> hardcoded. I don't see any mechanism in AS7 at the moment for plugging
> in IoC like information. I don't see mechanism for discovering config
> files or a place to put config files in AS7. This isn't a bad thing. I
> think what we could do is allow people to add a
> "org.jboss.security.DomainMapping" file to META-INF/services directory
> of any jar. When the Security Subsystem starts up it will search for
> all files of that name and load up a mapping file.
I'm not sure I'm following along with this.
Security domains don't use a classname anymore. They use a code in the
domain.xml file. Right now that code to classname mapping is hard
coded. I'm suggesting a ServiceLoader-style class discovery that just
maps code to classname.
> - Add ability to define JBossWeb Authenticators.
Tomcat/JBossWeb
> already has this ability inheritently built in, but unexposed. Similar
> to DomainMapping, we'll have a org.jboss.web.Authenticators file that
> has a class/auth-method mapping.
Definitely, I think this is a great idea. I'm not so sure about using a
"META-INF/services" file for anything other than ServiceLoader-style
class discovery though, but I'm not 100% sure that this is what you're
saying.
How else could you plug in a code->classname map? I really liked the
idea of keeping implementation details out of the domain.xml config.
> Step 2:
> I'd like to gut JBossWeb security and Picketbox security. Redesign the
> whole damn thing. Its just hacked and band-aided together. Its stuck
> in ancient and obsolete user/password land needs to be more flexible.
Yeah for Remoting at least (and for other future stuff, like SSH, SFTP,
etc.) I'm looking at supporting public key (non-certificate)
authentication, and I'm a bit at a loss as to how I might reconcile this
with the username/password school of thought.
I've done a lot of work lately with digital signatures + HTTP in
Resteasy project. I'm implementing a signature-based approach to
authentication and ran into a brick wall when trying to figure out how
to integrate with AS7.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11:27 a.m.
http://community.jboss.org/wiki/JBossAS7SecurityDomainModel
The last section shows how to add an authenticator as a valve (config,
courtesy Darran). Once you install
your authenticator, you have some control.
On 06/17/2011 11:20 AM, Bill Burke wrote:
On 6/17/11 11:37 AM, David M. Lloyd wrote:
> On 06/17/2011 09:56 AM, Bill Burke wrote:
>> I'm not happy with the state of our security abstractions.
> Me either.
>
> [...]
>> So what do I want to do?
>>
>> Step 1:
>>
>> - Add ability to plug in a Security Domain type. Currently its all
>> hardcoded. I don't see any mechanism in AS7 at the moment for plugging
>> in IoC like information. I don't see mechanism for discovering config
>> files or a place to put config files in AS7. This isn't a bad thing. I
>> think what we could do is allow people to add a
>> "org.jboss.security.DomainMapping" file to META-INF/services directory
>> of any jar. When the Security Subsystem starts up it will search for
>> all files of that name and load up a mapping file.
> I'm not sure I'm following along with this.
>
Security domains don't use a classname anymore. They use a code in the
domain.xml file. Right now that code to classname mapping is hard
coded. I'm suggesting a ServiceLoader-style class discovery that just
maps code to classname.
>> - Add ability to define JBossWeb Authenticators. Tomcat/JBossWeb
>> already has this ability inheritently built in, but unexposed. Similar
>> to DomainMapping, we'll have a org.jboss.web.Authenticators file that
>> has a class/auth-method mapping.
> Definitely, I think this is a great idea. I'm not so sure about using a
> "META-INF/services" file for anything other than ServiceLoader-style
> class discovery though, but I'm not 100% sure that this is what you're
> saying.
>
How else could you plug in a code->classname map? I really liked the
idea of keeping implementation details out of the domain.xml config.
>> Step 2:
>> I'd like to gut JBossWeb security and Picketbox security. Redesign the
>> whole damn thing. Its just hacked and band-aided together. Its stuck
>> in ancient and obsolete user/password land needs to be more flexible.
> Yeah for Remoting at least (and for other future stuff, like SSH, SFTP,
> etc.) I'm looking at supporting public key (non-certificate)
> authentication, and I'm a bit at a loss as to how I might reconcile this
> with the username/password school of thought.
>
I've done a lot of work lately with digital signatures + HTTP in
Resteasy project. I'm implementing a signature-based approach to
authentication and ran into a brick wall when trying to figure out how
to integrate with AS7.
11:59 a.m.
On 6/17/11 12:27 PM, Anil Saldhana wrote:
http://community.jboss.org/wiki/JBossAS7SecurityDomainModel
The last section shows how to add an authenticator as a valve (config,
courtesy Darran). Once you install
your authenticator, you have some control.
I'm aware of that. Users shouldn't have to list implementation details
for pluggable features we provide.
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11:40 a.m.
On 06/17/2011 01:20 PM, Bill Burke wrote:
On 6/17/11 11:37 AM, David M. Lloyd wrote:
> On 06/17/2011 09:56 AM, Bill Burke wrote:
>> I'm not happy with the state of our security abstractions.
> Me either.
>
> [...]
>> So what do I want to do?
>>
>> Step 1:
>>
>> - Add ability to plug in a Security Domain type. Currently its all
>> hardcoded. I don't see any mechanism in AS7 at the moment for plugging
>> in IoC like information. I don't see mechanism for discovering config
>> files or a place to put config files in AS7. This isn't a bad thing. I
>> think what we could do is allow people to add a
>> "org.jboss.security.DomainMapping" file to META-INF/services directory
>> of any jar. When the Security Subsystem starts up it will search for
>> all files of that name and load up a mapping file.
> I'm not sure I'm following along with this.
>
Security domains don't use a classname anymore. They use a code in the
domain.xml file. Right now that code to classname mapping is hard
coded. I'm suggesting a ServiceLoader-style class discovery that just
maps code to classname.
You can still use a class name in the code attribute of security
domains. Those hardcoded aliases were created for implementations we
already provide along with AS so we can avoid using class names for our
own classes.
>> - Add ability to define JBossWeb Authenticators.
Tomcat/JBossWeb
>> already has this ability inheritently built in, but unexposed. Similar
>> to DomainMapping, we'll have a org.jboss.web.Authenticators file that
>> has a class/auth-method mapping.
> Definitely, I think this is a great idea. I'm not so sure about using a
> "META-INF/services" file for anything other than ServiceLoader-style
> class discovery though, but I'm not 100% sure that this is what you're
> saying.
>
How else could you plug in a code->classname map? I really liked the
idea of keeping implementation details out of the domain.xml config.
>> Step 2:
>> I'd like to gut JBossWeb security and Picketbox security. Redesign the
>> whole damn thing. Its just hacked and band-aided together. Its stuck
>> in ancient and obsolete user/password land needs to be more flexible.
> Yeah for Remoting at least (and for other future stuff, like SSH, SFTP,
> etc.) I'm looking at supporting public key (non-certificate)
> authentication, and I'm a bit at a loss as to how I might reconcile this
> with the username/password school of thought.
>
I've done a lot of work lately with digital signatures + HTTP in
Resteasy project. I'm implementing a signature-based approach to
authentication and ran into a brick wall when trying to figure out how
to integrate with AS7.
--
Marcus Moyses
JBoss Core Developer
JBoss by Red Hat
10:41 a.m.
On Fri, 2011-06-17 at 10:56 -0400, Bill Burke wrote:
- Add ability to define JBossWeb Authenticators. Tomcat/JBossWeb
already has this ability inheritently built in, but unexposed. Similar
to DomainMapping, we'll have a org.jboss.web.Authenticators file that
has a class/auth-method mapping.
I am already prototyping this stuff in my git branch. I'm pretty sure
it can require zero changes to JBossWeb which should avoid getting Remy
all flustered.
You can already add any authenticator you like in your deployer (like if
you see JBOSS-SECURITY-DOMAIN in web.xml, you can add
JBossSecurityDomainAuthenticator), that's why you don't need to add some
nasty config like the one which existed in AS 6 to do it.
As for the rest, as long as you accept that this is going to be
incompatible with certain mechanisms, like SSO and the new Servlet 3
hooks, then it's probably fine.
--
Remy Maucherat <rmaucher(a)redhat.com>
Red Hat Inc
11:07 a.m.
On 6/17/11 11:41 AM, Remy Maucherat wrote:
On Fri, 2011-06-17 at 10:56 -0400, Bill Burke wrote:
> - Add ability to define JBossWeb Authenticators. Tomcat/JBossWeb
> already has this ability inheritently built in, but unexposed. Similar
> to DomainMapping, we'll have a org.jboss.web.Authenticators file that
> has a class/auth-method mapping.
>
> I am already prototyping this stuff in my git branch. I'm pretty sure
> it can require zero changes to JBossWeb which should avoid getting Remy
> all flustered.
You can already add any authenticator you like in your deployer (like if
you see JBOSS-SECURITY-DOMAIN in web.xml, you can add
JBossSecurityDomainAuthenticator), that's why you don't need to add some
nasty config like the one which existed in AS 6 to do it.
Ah, you mean write a deployer, listen for JbossWebMetaData, and add what
you need to JbossWebMetaData? Won't JBossWeb see the
"JBOSS-SECURITY-DOMAIN" auth-method and barf?
As for the rest, as long as you accept that this is going to be
incompatible with certain mechanisms, like SSO and the new Servlet 3
hooks, then it's probably fine.
I'm interested in tighter integration with AS7 to make it as simple as
possible to configure and administrate security. We need hooks to write
plugins that can be installed to the app server as a whole. That allow
us to define features that users can use without a lot of (or any)
configuration. If Servlet 3 is adequate abstraction, then so be it, but
I thought it was a WAR deployment option?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11:09 a.m.
On 06/17/2011 05:07 PM, Bill Burke wrote:
> You can already add any authenticator you like in your deployer
(like if
> you see JBOSS-SECURITY-DOMAIN in web.xml, you can add
> JBossSecurityDomainAuthenticator), that's why you don't need to add some
> nasty config like the one which existed in AS 6 to do it.
>
Ah, you mean write a deployer, listen for JbossWebMetaData, and add what
you need to JbossWebMetaData? Won't JBossWeb see the
"JBOSS-SECURITY-DOMAIN" auth-method and barf?
Within my web application I can confirm it does not object to the
non-standard auth-method.
11:13 a.m.
On Fri, 2011-06-17 at 12:07 -0400, Bill Burke wrote:
Ah, you mean write a deployer, listen for JbossWebMetaData, and add
what
you need to JbossWebMetaData? Won't JBossWeb see the
"JBOSS-SECURITY-DOMAIN" auth-method and barf?
If there's a valve that is an Authenticator that is already present, it
won't try to configure an authenticator valve itself.
I'm interested in tighter integration with AS7 to make it as
simple as
possible to configure and administrate security. We need hooks to write
plugins that can be installed to the app server as a whole. That allow
us to define features that users can use without a lot of (or any)
configuration. If Servlet 3 is adequate abstraction, then so be it, but
I thought it was a WAR deployment option?
I was talking about the login(username, password) and logout methods
that got added in Servlet 3.
--
Remy Maucherat <rmaucher(a)redhat.com>
Red Hat Inc
4943
days inactive
4943
days old
9 comments
6 participants
participants (6)
-
Anil Saldhana -
Bill Burke -
Darran Lofthouse -
David M. Lloyd -
Marcus Moyses -
Remy Maucherat