Re: [jboss-as7-dev] security/web sucks, what can we change?
On Fri, 2011-06-17 at 10:56 -0400, Bill Burke wrote:
- Add ability to define JBossWeb Authenticators. Tomcat/JBossWeb
already has this ability inheritently built in, but unexposed. Similar
to DomainMapping, we'll have a org.jboss.web.Authenticators file that
has a class/auth-method mapping.
I am already prototyping this stuff in my git branch. I'm pretty sure
it can require zero changes to JBossWeb which should avoid getting Remy
all flustered.
You can already add any authenticator you like in your deployer (like if
you see JBOSS-SECURITY-DOMAIN in web.xml, you can add
JBossSecurityDomainAuthenticator), that's why you don't need to add some
nasty config like the one which existed in AS 6 to do it.
As for the rest, as long as you accept that this is going to be
incompatible with certain mechanisms, like SSO and the new Servlet 3
hooks, then it's probably fine.
--
Remy Maucherat <rmaucher(a)redhat.com>
Red Hat Inc