10:51 a.m.
For deployments to JBoss AS7 is it still expected that the old way of
associating a security domain with a deployment / individual components
will be followed?
i.e. Specifying the <security-domain> element in the deployment
descriptors or using the SecurityDomain annotation on specific beans.
Has there been any consideration regarding assigning a security domain
as part of the actual deployment process i.e. deploy this archive and
use domain X.
Regards,
Darran Lofthouse.
11:03 a.m.
On 06/10/2011 12:51 PM, Darran Lofthouse wrote:
For deployments to JBoss AS7 is it still expected that the old way
of
associating a security domain with a deployment / individual components
will be followed?
i.e. Specifying the<security-domain> element in the deployment
descriptors or using the SecurityDomain annotation on specific beans.
Yes, the
<security-domain> element is still used, at least in WARs. I
think it should be used for EARs as well.
There is SecurityDomain annotation in the PicketBox project but it has
never been used for EJB3s. I think we should start using it to avoid
having 2 different annotations. Customers get confused with that.
Has there been any consideration regarding assigning a security
domain
as part of the actual deployment process i.e. deploy this archive and
use domain X.
It was decided that deploying a security domain along with an
application will not be a feature in AS7 as it would leave the security
domain unmanageable. Jason said we will discuss this feature for AS7.1
(there are other use cases for standalone deployments besides security
domains).
Regards,
Darran Lofthouse.
_______________________________________________
jboss-as7-dev mailing list
jboss-as7-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
--
Marcus Moyses
JBoss Core Developer
JBoss by Red Hat
11:06 a.m.
On 06/10/2011 05:03 PM, Marcus Moyses wrote:
> i.e. Specifying the<security-domain> element in the
deployment
> descriptors or using the SecurityDomain annotation on specific beans.
Yes, the<security-domain> element is still used, at least in WARs. I
think it should be used for EARs as well.
There is SecurityDomain annotation in the PicketBox project but it has
never been used for EJB3s. I think we should start using it to avoid
having 2 different annotations. Customers get confused with that.
> Has there been any consideration regarding assigning a security domain
> as part of the actual deployment process i.e. deploy this archive and
> use domain X.
Is there any plan to use this annotation with servlets?
11:09 a.m.
I think it would be a good idea to use the same annotation for servlets too.
If the EJB3 team is ok with using PB's annotation I can take a look at
integration it with servlets
On 06/10/2011 01:06 PM, Darran Lofthouse wrote:
On 06/10/2011 05:03 PM, Marcus Moyses wrote:
>> i.e. Specifying the<security-domain> element in the deployment
>> descriptors or using the SecurityDomain annotation on specific beans.
> Yes, the<security-domain> element is still used, at least in WARs. I
> think it should be used for EARs as well.
> There is SecurityDomain annotation in the PicketBox project but it has
> never been used for EJB3s. I think we should start using it to avoid
> having 2 different annotations. Customers get confused with that.
>> Has there been any consideration regarding assigning a security domain
>> as part of the actual deployment process i.e. deploy this archive and
>> use domain X.
Is there any plan to use this annotation with servlets?
--
Marcus Moyses
JBoss Core Developer
JBoss by Red Hat
12:08 p.m.
Using a common annotation sounds good but a down side is that the
annotation shares the package with a set of other annotations we do not
support - users my inadvertently think these are supported as well.
Regards,
Darran Lofthouse.
On 06/10/2011 05:09 PM, Marcus Moyses wrote:
I think it would be a good idea to use the same annotation for
servlets
too.
If the EJB3 team is ok with using PB's annotation I can take a look at
integration it with servlets
On 06/10/2011 01:06 PM, Darran Lofthouse wrote:
> On 06/10/2011 05:03 PM, Marcus Moyses wrote:
>>> i.e. Specifying the<security-domain> element in the deployment
>>> descriptors or using the SecurityDomain annotation on specific beans.
>> Yes, the<security-domain> element is still used, at least in WARs. I
>> think it should be used for EARs as well.
>> There is SecurityDomain annotation in the PicketBox project but it has
>> never been used for EJB3s. I think we should start using it to avoid
>> having 2 different annotations. Customers get confused with that.
>>> Has there been any consideration regarding assigning a security domain
>>> as part of the actual deployment process i.e. deploy this archive and
>>> use domain X.
>
> Is there any plan to use this annotation with servlets?
12:17 p.m.
I honestly don't know what those are used for.
Anil, can we remove those annotations for PB 4.0.0.GA?
On 06/10/2011 02:08 PM, Darran Lofthouse wrote:
Using a common annotation sounds good but a down side is that the
annotation shares the package with a set of other annotations we do
not support - users my inadvertently think these are supported as well.
Regards,
Darran Lofthouse.
On 06/10/2011 05:09 PM, Marcus Moyses wrote:
> I think it would be a good idea to use the same annotation for servlets
> too.
> If the EJB3 team is ok with using PB's annotation I can take a look at
> integration it with servlets
>
> On 06/10/2011 01:06 PM, Darran Lofthouse wrote:
>> On 06/10/2011 05:03 PM, Marcus Moyses wrote:
>>>> i.e. Specifying the<security-domain> element in the deployment
>>>> descriptors or using the SecurityDomain annotation on specific beans.
>>> Yes, the<security-domain> element is still used, at least in WARs. I
>>> think it should be used for EARs as well.
>>> There is SecurityDomain annotation in the PicketBox project but it has
>>> never been used for EJB3s. I think we should start using it to avoid
>>> having 2 different annotations. Customers get confused with that.
>>>> Has there been any consideration regarding assigning a security
>>>> domain
>>>> as part of the actual deployment process i.e. deploy this archive and
>>>> use domain X.
>>
>> Is there any plan to use this annotation with servlets?
>
--
Marcus Moyses
JBoss Core Developer
JBoss by Red Hat
1:24 p.m.
On Friday 10 June 2011 09:39 PM, Marcus Moyses wrote:
I think it would be a good idea to use the same annotation for
servlets too.
If the EJB3 team is ok with using PB's annotation I can take a look at
integration it with servlets
http://lists.jboss.org/pipermail/jboss-as7-dev/2011-June/002488.html
-Jaikiran
7:33 a.m.
On Fri, 2011-06-10 at 13:09 -0300, Marcus Moyses wrote:
I think it would be a good idea to use the same annotation for
servlets too.
If the EJB3 team is ok with using PB's annotation I can take a look at
integration it with servlets
Ah, so it would be possible to have two servlets in the same webapp with
two different security domains ? That sounds like something which would
make performance go down (additional per request lookup), and has no
actual benefit.
--
Remy Maucherat <rmaucher(a)redhat.com>
Red Hat Inc
7:40 a.m.
On Monday 13 June 2011 06:03 PM, Remy Maucherat wrote:
On Fri, 2011-06-10 at 13:09 -0300, Marcus Moyses wrote:
> I think it would be a good idea to use the same annotation for servlets too.
> If the EJB3 team is ok with using PB's annotation I can take a look at
> integration it with servlets
Ah, so it would be possible to have two servlets in the same webapp with
two different security domains ? That sounds like something which would
make performance go down (additional per request lookup), and has no
actual benefit.
Furthermore, isn't the security for web, based on url-pattern and _not_
per servlet class? For example the same servlet class might be mapped to
two different url-patterns and only one url-pattern might be secured. In
such cases having a @SecurityDomain on a servlet class won't work, isn't it?
-Jaikiran
7:57 a.m.
On Mon, 2011-06-13 at 18:10 +0530, Jaikiran Pai wrote:
Furthermore, isn't the security for web, based on url-pattern and
_not_
per servlet class? For example the same servlet class might be mapped to
two different url-patterns and only one url-pattern might be secured. In
such cases having a @SecurityDomain on a servlet class won't work, isn't it?
The new security annotation from Servlet 3 now corresponds to it, but
the basis of the servlet security ultimately remains URL matching.
--
Remy Maucherat <rmaucher(a)redhat.com>
Red Hat Inc
8:18 a.m.
http://java.dzone.com/articles/understanding-web-security
The constraints are a mix of url patterns and http methods.
On 06/13/2011 07:57 AM, Remy Maucherat wrote:
On Mon, 2011-06-13 at 18:10 +0530, Jaikiran Pai wrote:
> Furthermore, isn't the security for web, based on url-pattern and _not_
> per servlet class? For example the same servlet class might be mapped to
> two different url-patterns and only one url-pattern might be secured. In
> such cases having a @SecurityDomain on a servlet class won't work, isn't it?
The new security annotation from Servlet 3 now corresponds to it, but
the basis of the servlet security ultimately remains URL matching.
11:03 a.m.
On 6/10/11 10:51 AM, Darran Lofthouse wrote:
For deployments to JBoss AS7 is it still expected that the old way
of
associating a security domain with a deployment / individual components
will be followed?
i.e. Specifying the<security-domain> element in the deployment
descriptors or using the SecurityDomain annotation on specific beans.
Has there been any consideration regarding assigning a security domain
as part of the actual deployment process i.e. deploy this archive and
use domain X.
Not that I've heard of.
Regards,
Darran Lofthouse.
_______________________________________________
jboss-as7-dev mailing list
jboss-as7-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
--
Brian Stansberry
Principal Software Engineer
JBoss by Red Hat
4726
days inactive
4729
days old
11 comments
6 participants
participants (6)
-
Anil Saldhana -
Brian Stansberry -
Darran Lofthouse -
Jaikiran Pai -
Marcus Moyses -
Remy Maucherat