Is this still expected to be supported in AS7 for setting a username and password for later authentication? Regards, Darran Lofthouse.

On 06/10/2011 04:43 PM, Anil Saldhana wrote: > We have not discarded that LM. But is it expected to be supported? The org.jboss.security.annotation.SecurityDomain annotation has also not been discarded even though there is an EJB3 specific SecurityDomain annotation ;-)

> On 06/10/2011 10:42 AM, Darran Lofthouse wrote: >> Is this still expected to be supported in AS7 for setting a username and >> password for later authentication? >> >> Regards, >> Darran Lofthouse.

On 06/10/2011 04:49 PM, Anil Saldhana wrote: > On 06/10/2011 10:46 AM, Darran Lofthouse wrote: >> On 06/10/2011 04:43 PM, Anil Saldhana wrote: >>> We have not discarded that LM. >> But is it expected to be supported? >> >> The org.jboss.security.annotation.SecurityDomain annotation has also >> not >> been discarded even though there is an EJB3 specific SecurityDomain >> annotation ;-) >> > The EJB3 Security Domain annotation should be discarded for AS7 and > they need to use the one coming from PicketBox. Carlo / Jaikiran - are you Ok with the Picketbox @SecurityDomain annotation?

> On Friday 10 June 2011 09:23 PM, Darran Lofthouse wrote: > Also, I don't see why EJB3 needs to depend on that PicketBox annotation > for managing security. Why not continue using the EJB3 @SecurityDomain > and we internally pass on the relevant information to the PicketBox > project for security management. Or are you saying that PicketBox is > going to scan EJB3 classes for those PicketBox specific annotations? Agreed. EJB security is an EJB concern; PicketBox may be the implementation but it is not appropriate to change these annotations because of it. On the contrary we should continue to support org.jboss.ejb3.annotation - and maybe even org.jboss.ejb.annotation, to be honest. There is no compelling reason to change this now.

On 06/10/2011 07:21 PM, Jaikiran Pai wrote: > On Friday 10 June 2011 09:23 PM, Darran Lofthouse wrote: >>> The EJB3 Security Domain annotation should be discarded for AS7 and >>> they need to use the one coming from PicketBox. >> >> Carlo / Jaikiran - are you Ok with the Picketbox @SecurityDomain >> annotation? > I don't think that's a good idea. We've already had one round of such > changes from JBoss AS4 to JBoss AS5 where we changed the package names > of those annotations from org.jboss.annotation.* to > org.jboss.ejb3.annotation and users still keep running into problems > with that. Regarding that problem is it possible for us to detect the presence of other org.jboss.*.SecurityDomain annotations that we do not process? If so and maybe log a warning that we have not used it? I did loose count of the number of times users could not get security to work because they had the wrong annotation and the side effect was the security was not enabled.

On 06/10/2011 09:21 PM, Jason T. Greene wrote: > On 6/10/11 2:14 PM, Darran Lofthouse wrote: >> On 06/10/2011 07:21 PM, Jaikiran Pai wrote: >>> On Friday 10 June 2011 09:23 PM, Darran Lofthouse wrote: >>>>> The EJB3 Security Domain annotation should be discarded for AS7 and >>>>> they need to use the one coming from PicketBox. >>>> Carlo / Jaikiran - are you Ok with the Picketbox @SecurityDomain >>>> annotation? >>> I don't think that's a good idea. We've already had one round of such >>> changes from JBoss AS4 to JBoss AS5 where we changed the package names >>> of those annotations from org.jboss.annotation.* to >>> org.jboss.ejb3.annotation and users still keep running into problems >>> with that. >> Regarding that problem is it possible for us to detect the presence of >> other org.jboss.*.SecurityDomain annotations that we do not process? If >> so and maybe log a warning that we have not used it? >> >> I did loose count of the number of times users could not get security to >> work because they had the wrong annotation and the side effect was the >> security was not enabled. > We really just need to pick one. If we go with the common route it needs > to be polished, not something that requires a module import and has a > bunch of unsupported annotations in the same package. > org.jboss.ejb3.annotation.SecurityDomain and the associated <security-domain> from the dd are part of the EJB3 API. But alternatively we've been working on something that I find much better: org.jboss.security.annotation.SecurityDomain and in the dd: <assembly-descriptor> <picketbox:security-domain> <ejb-name>*</ejb-name> <picketbox:value>other</picketbox:value> </picketbox:security-domain> </assembly-descriptor> The picketbox elements can be formed in any which way PicketBox wants them. The metadata association logic comes from EJB3 code. (That would also allow us to use infinispan stuff for clustering, custom pool impls etc.) Carlo