[jboss-as7-dev] Securing the Console
On 1/20/11 11:00 AM, Heiko Braun wrote:
> Since JAAS is a SE API, you can use it without using servlet.
Also,
> the jdk http server provides an impl for basic and digest auth as well
> as support for ssl (although these are trivial to implement anyway)
Ok, thats good. I was wondering about TLS. Let's figure out how
authentication should actually work.
I think this will identify the requirements.
Right I agree with this approach, we need to identify the security
requirements, and potential designs.
I created a shell wiki page we can update with various content:
http://community.jboss.org/wiki/ManagementConsoleDesign
I would suggest a separate thread as well.
Done.
To start off with for requirements:
- All of our domain API interfaces, will need user auth of some sort,
either per session or per request
- We have a PRD/ERD requirement to allow integration with custom
security infrastructure (ldap etc)
- TLS must be supported
- There is a PRD requirement to support multiple logins, and the ability
to manage them in the Console
- The ERD clarified that ACLS would be a JON feature above the console.
We could if we have time, support some form of basic permissions
--
Jason T. Greene
JBoss, a division of Red Hat