Re: [jboss-as7-dev] On security context and propagation

Hi I can unterstand nobody likes JAAS , include me. But java.security.Principal , javax.security.auth.Subject are CORE JAAS Classes/Interfaces. ( http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASR... ) So I don't see how to use them without JAAS. When I look at the choice in Java http://docs.oracle.com/javase/6/docs/technotes/guides/security/overview/j... ( Bootom Appendix A ) I can't see, what else can be used for multithreaded jvm. For me natural choice for security propagation will be GSS-API, which can be used with our without JAAS. http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/tutor... In Addition you gets SSO for free if used with KRB5. Example HTTP SPNEGO. You get Authentication/Authorization and safe connection without implementing krb5 yourself. You Delegate Ticket validation to Java build in JAAS Login Modul com.sun.security.auth.module.Krb5LoginModule … or you tell Java just to use Red Hat GSS native Libs, when Red Hat Server is allready configured for Kerberos. One of many reasons I like AS7 & Red Hat Linux and especial Picketbox & Picketlink. There is lot cool stuff build in in Java 6 and higher… I would take it. If you don't like it, throw it away, take Interface and make better implementation yourself later… if you will find time for it :-) Radek