Re: [jboss-as7-dev] security/web sucks, what can we change?

On 6/17/11 11:37 AM, David M. Lloyd wrote: > On 06/17/2011 09:56 AM, Bill Burke wrote: >> I'm not happy with the state of our security abstractions. > Me either. > > [...] >> So what do I want to do? >> >> Step 1: >> >> - Add ability to plug in a Security Domain type. Currently its all >> hardcoded. I don't see any mechanism in AS7 at the moment for plugging >> in IoC like information. I don't see mechanism for discovering config >> files or a place to put config files in AS7. This isn't a bad thing. I >> think what we could do is allow people to add a >> "org.jboss.security.DomainMapping" file to META-INF/services directory >> of any jar. When the Security Subsystem starts up it will search for >> all files of that name and load up a mapping file. > I'm not sure I'm following along with this. > Security domains don't use a classname anymore. They use a code in the domain.xml file. Right now that code to classname mapping is hard coded. I'm suggesting a ServiceLoader-style class discovery that just maps code to classname. >> - Add ability to define JBossWeb Authenticators. Tomcat/JBossWeb >> already has this ability inheritently built in, but unexposed. Similar >> to DomainMapping, we'll have a org.jboss.web.Authenticators file that >> has a class/auth-method mapping. > Definitely, I think this is a great idea. I'm not so sure about using a > "META-INF/services" file for anything other than ServiceLoader-style > class discovery though, but I'm not 100% sure that this is what you're > saying. > How else could you plug in a code->classname map? I really liked the idea of keeping implementation details out of the domain.xml config. >> Step 2: >> I'd like to gut JBossWeb security and Picketbox security. Redesign the >> whole damn thing. Its just hacked and band-aided together. Its stuck >> in ancient and obsolete user/password land needs to be more flexible. > Yeah for Remoting at least (and for other future stuff, like SSH, SFTP, > etc.) I'm looking at supporting public key (non-certificate) > authentication, and I'm a bit at a loss as to how I might reconcile this > with the username/password school of thought. > I've done a lot of work lately with digital signatures + HTTP in Resteasy project. I'm implementing a signature-based approach to authentication and ran into a brick wall when trying to figure out how to integrate with AS7.