Re: [jboss-as7-dev] security/web sucks, what can we change?

On 06/17/2011 09:56 AM, Bill Burke wrote: > I'm not happy with the state of our security abstractions. Me either. [...] > So what do I want to do? > > Step 1: > > - Add ability to plug in a Security Domain type. Currently its all > hardcoded. I don't see any mechanism in AS7 at the moment for plugging > in IoC like information. I don't see mechanism for discovering config > files or a place to put config files in AS7. This isn't a bad thing. I > think what we could do is allow people to add a > "org.jboss.security.DomainMapping" file to META-INF/services directory > of any jar. When the Security Subsystem starts up it will search for > all files of that name and load up a mapping file. I'm not sure I'm following along with this.

> - Add ability to define JBossWeb Authenticators. Tomcat/JBossWeb > already has this ability inheritently built in, but unexposed. Similar > to DomainMapping, we'll have a org.jboss.web.Authenticators file that > has a class/auth-method mapping. Definitely, I think this is a great idea. I'm not so sure about using a "META-INF/services" file for anything other than ServiceLoader-style class discovery though, but I'm not 100% sure that this is what you're saying.

> Step 2: > I'd like to gut JBossWeb security and Picketbox security. Redesign the > whole damn thing. Its just hacked and band-aided together. Its stuck > in ancient and obsolete user/password land needs to be more flexible. Yeah for Remoting at least (and for other future stuff, like SSH, SFTP, etc.) I'm looking at supporting public key (non-certificate) authentication, and I'm a bit at a loss as to how I might reconcile this with the username/password school of thought.