4:58 p.m.
Can we expect any security subsystem management op's in the near future?
(before 7.0.Final)
Currently there isn't much to lean on:
[domain@localhost:9999 /]
/profile=default/subsystem=security:read-resource(recursive=true)
{
"outcome" => "success",
"result" => {"security-domain" => {"other" =>
{"authentication" => [{
"code" => "UsersRoles",
"flag" => "required"
}]}}},
"compensating-operation" => undefined
}
Ike
11:48 p.m.
I'm working on adding at least one operation to flush the authentication
cache.
I'm open to suggestions if anyone can think of other operations that
might come in handy.
On 05/10/2011 11:58 AM, Heiko Braun wrote:
Can we expect any security subsystem management op's in the near future?
(before 7.0.Final)
Currently there isn't much to lean on:
[domain@localhost:9999 /]
/profile=default/subsystem=security:read-resource(recursive=true)
{
"outcome" => "success",
"result" => {"security-domain" => {"other"
=> {"authentication" => [{
"code" => "UsersRoles",
"flag" => "required"
}]}}},
"compensating-operation" => undefined
}
Ike
_______________________________________________
jboss-as7-dev mailing list
jboss-as7-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
--
Marcus Moyses
JBoss Core Developer
JBoss by Red Hat
10:54 a.m.
Looking at the operation response below, it seems you grant access to the
security domains. At least to a certain degree.
Would it make sense to expose this information?
If so, what does result actually mean?
> domain@localhost:9999 /]
/profile=default/subsystem=security:read-resource(recursive=true)
> {
> "outcome" => "success",
> "result" => {"security-domain" => {"other"
=> {"authentication" => [{
> "code" => "UsersRoles",
> "flag" => "required"
> }]}}},
> "compensating-operation" => undefined
> }
Ike
On May 10, 2011, at 11:48 PM, Marcus Moyses wrote:
I'm working on adding at least one operation to flush the
authentication cache.
I'm open to suggestions if anyone can think of other operations that might come in
handy.
On 05/10/2011 11:58 AM, Heiko Braun wrote:
>
> Can we expect any security subsystem management op's in the near future?
> (before 7.0.Final)
>
>
> Currently there isn't much to lean on:
>
> [domain@localhost:9999 /]
/profile=default/subsystem=security:read-resource(recursive=true)
> {
> "outcome" => "success",
> "result" => {"security-domain" => {"other"
=> {"authentication" => [{
> "code" => "UsersRoles",
> "flag" => "required"
> }]}}},
> "compensating-operation" => undefined
> }
>
>
> Ike
> _______________________________________________
> jboss-as7-dev mailing list
> jboss-as7-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
--
Marcus Moyses
JBoss Core Developer
JBoss by Red Hat
5:38 p.m.
----- Original Message -----
From: "Marcus Moyses" <mmoyses(a)redhat.com>
To: "Heiko Braun" <hbraun(a)redhat.com>
Cc: "jboss-as7-dev(a)lists.jboss.org Development"
<jboss-as7-dev(a)lists.jboss.org>
Sent: Tuesday, May 10, 2011 3:48:38 PM
Subject: Re: [jboss-as7-dev] Security Subsystem management use cases
I'm working on adding at least one operation to flush the
authentication
cache.
I'm open to suggestions if anyone can think of other operations that
might come in handy.
What about the JAAS security domain configuration as shown by Mastercard in their JBoss
World presentation? I'm sure there are many other things.
Andy
On 05/10/2011 11:58 AM, Heiko Braun wrote:
>
> Can we expect any security subsystem management op's in the near
> future?
> (before 7.0.Final)
>
>
> Currently there isn't much to lean on:
>
> [domain@localhost:9999 /]
> /profile=default/subsystem=security:read-resource(recursive=true)
> {
> "outcome" => "success",
> "result" => {"security-domain" =>
{"other" =>
> {"authentication" => [{
> "code" => "UsersRoles",
> "flag" => "required"
> }]}}},
> "compensating-operation" => undefined
> }
>
>
> Ike
> _______________________________________________
> jboss-as7-dev mailing list
> jboss-as7-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
--
Marcus Moyses
JBoss Core Developer
JBoss by Red Hat
_______________________________________________
jboss-as7-dev mailing list
jboss-as7-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
3:33 p.m.
----- Original Message -----
From: "Heiko Braun" <hbraun(a)redhat.com>
To: "Andrig Miller" <anmiller(a)redhat.com>
Cc: "Marcus Moyses" <mmoyses(a)redhat.com>,
"jboss-as7-dev(a)lists.jboss.org Development"
<jboss-as7-dev(a)lists.jboss.org>
Sent: Thursday, May 12, 2011 2:05:53 AM
Subject: Re: [jboss-as7-dev] Security Subsystem management use cases
On May 11, 2011, at 5:38 PM, Andrig Miller wrote:
> What about the JAAS security domain configuration as shown by
> Mastercard in their JBoss World presentation? I'm sure there are
> many other things.
Can you elaborate on that?
I'm not the expert on this, but in Mastercard's presentation, they showed a
configuration of a JAAS security domain, where they could remove the username/password
information, and externalize the security configuration outside of the deployed
applications, and use PicketLink STS.
Anil, should probably talk about this.
This is in EAP 5.1, and should obviously be carried over.
Andy
3:42 p.m.
Andy,
that would be http://community.jboss.org/thread/160148
Marcus has implemented the construct. I guess we need to evaluate if
that can be configurable via the console.
Inventory:
http://community.jboss.org/wiki/JBossAS7SecurityDevelopmentInventory
Regards,
Anil
On 05/12/2011 08:33 AM, Andrig Miller wrote:
----- Original Message -----
> From: "Heiko Braun"<hbraun(a)redhat.com>
> To: "Andrig Miller"<anmiller(a)redhat.com>
> Cc: "Marcus Moyses"<mmoyses(a)redhat.com>,
"jboss-as7-dev(a)lists.jboss.org
Development"<jboss-as7-dev(a)lists.jboss.org>
> Sent: Thursday, May 12, 2011 2:05:53 AM
> Subject: Re: [jboss-as7-dev] Security Subsystem management use cases
>
>
>
>
>
> On May 11, 2011, at 5:38 PM, Andrig Miller wrote:
>
>> What about the JAAS security domain configuration as shown by
>> Mastercard in their JBoss World presentation? I'm sure there are
>> many other things.
>
> Can you elaborate on that?
I'm not the expert on this, but in Mastercard's presentation, they showed a
configuration of a JAAS security domain, where they could remove the username/password
information, and externalize the security configuration outside of the deployed
applications, and use PicketLink STS.
Anil, should probably talk about this.
This is in EAP 5.1, and should obviously be carried over.
Andy
4:10 p.m.
It makes perfect sense for it to be configurable through the console to me. Especially in
domain mode, where you are going to role out JAAS security domains across lots of
servers/server groups.
Andy
----- Original Message -----
From: "Anil Saldhana" <Anil.Saldhana(a)redhat.com>
To: jboss-as7-dev(a)lists.jboss.org
Sent: Thursday, May 12, 2011 7:42:08 AM
Subject: Re: [jboss-as7-dev] Security Subsystem management use cases
Andy,
that would be http://community.jboss.org/thread/160148
Marcus has implemented the construct. I guess we need to evaluate if
that can be configurable via the console.
Inventory:
http://community.jboss.org/wiki/JBossAS7SecurityDevelopmentInventory
Regards,
Anil
On 05/12/2011 08:33 AM, Andrig Miller wrote:
>
> ----- Original Message -----
>> From: "Heiko Braun"<hbraun(a)redhat.com>
>> To: "Andrig Miller"<anmiller(a)redhat.com>
>> Cc: "Marcus Moyses"<mmoyses(a)redhat.com>,
>> "jboss-as7-dev(a)lists.jboss.org
>> Development"<jboss-as7-dev(a)lists.jboss.org>
>> Sent: Thursday, May 12, 2011 2:05:53 AM
>> Subject: Re: [jboss-as7-dev] Security Subsystem management use
>> cases
>>
>>
>>
>>
>>
>> On May 11, 2011, at 5:38 PM, Andrig Miller wrote:
>>
>>> What about the JAAS security domain configuration as shown by
>>> Mastercard in their JBoss World presentation? I'm sure there are
>>> many other things.
>>
>> Can you elaborate on that?
> I'm not the expert on this, but in Mastercard's presentation, they
> showed a configuration of a JAAS security domain, where they could
> remove the username/password information, and externalize the
> security configuration outside of the deployed applications, and
> use PicketLink STS.
>
> Anil, should probably talk about this.
>
> This is in EAP 5.1, and should obviously be carried over.
>
> Andy
_______________________________________________
jboss-as7-dev mailing list
jboss-as7-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
7:56 p.m.
My latest pull request (should be merged soon) adds 2 new operations to
a security domain: list-cached-principals and flush-cache.
As Anil said the construct for the JSSE security domains is already
included in AS7 and they are currently part of the <security-domain>
element. As we already have an operation to add security domains I think
we are covered for there.
On 05/12/2011 10:33 AM, Andrig Miller wrote:
----- Original Message -----
> From: "Heiko Braun"<hbraun(a)redhat.com>
> To: "Andrig Miller"<anmiller(a)redhat.com>
> Cc: "Marcus Moyses"<mmoyses(a)redhat.com>,
"jboss-as7-dev(a)lists.jboss.org
Development"<jboss-as7-dev(a)lists.jboss.org>
> Sent: Thursday, May 12, 2011 2:05:53 AM
> Subject: Re: [jboss-as7-dev] Security Subsystem management use cases
>
>
>
>
>
> On May 11, 2011, at 5:38 PM, Andrig Miller wrote:
>
>> What about the JAAS security domain configuration as shown by
>> Mastercard in their JBoss World presentation? I'm sure there are
>> many other things.
>
> Can you elaborate on that?
I'm not the expert on this, but in Mastercard's presentation, they showed a
configuration of a JAAS security domain, where they could remove the username/password
information, and externalize the security configuration outside of the deployed
applications, and use PicketLink STS.
Anil, should probably talk about this.
This is in EAP 5.1, and should obviously be carried over.
Andy
--
Marcus Moyses
JBoss Core Developer
JBoss by Red Hat
8:25 p.m.
Sounds great!
Andy
----- Original Message -----
From: "Marcus Moyses" <mmoyses(a)redhat.com>
To: "Andrig Miller" <anmiller(a)redhat.com>
Cc: "Heiko Braun" <hbraun(a)redhat.com>,
"jboss-as7-dev(a)lists.jboss.org Development"
<jboss-as7-dev(a)lists.jboss.org>
Sent: Thursday, May 12, 2011 11:56:35 AM
Subject: Re: [jboss-as7-dev] Security Subsystem management use cases
My latest pull request (should be merged soon) adds 2 new operations
to
a security domain: list-cached-principals and flush-cache.
As Anil said the construct for the JSSE security domains is already
included in AS7 and they are currently part of the <security-domain>
element. As we already have an operation to add security domains I
think
we are covered for there.
On 05/12/2011 10:33 AM, Andrig Miller wrote:
>
> ----- Original Message -----
>> From: "Heiko Braun"<hbraun(a)redhat.com>
>> To: "Andrig Miller"<anmiller(a)redhat.com>
>> Cc: "Marcus Moyses"<mmoyses(a)redhat.com>,
>> "jboss-as7-dev(a)lists.jboss.org
>> Development"<jboss-as7-dev(a)lists.jboss.org>
>> Sent: Thursday, May 12, 2011 2:05:53 AM
>> Subject: Re: [jboss-as7-dev] Security Subsystem management use
>> cases
>>
>>
>>
>>
>>
>> On May 11, 2011, at 5:38 PM, Andrig Miller wrote:
>>
>>> What about the JAAS security domain configuration as shown by
>>> Mastercard in their JBoss World presentation? I'm sure there are
>>> many other things.
>>
>> Can you elaborate on that?
> I'm not the expert on this, but in Mastercard's presentation, they
> showed a configuration of a JAAS security domain, where they could
> remove the username/password information, and externalize the
> security configuration outside of the deployed applications, and
> use PicketLink STS.
>
> Anil, should probably talk about this.
>
> This is in EAP 5.1, and should obviously be carried over.
>
> Andy
--
Marcus Moyses
JBoss Core Developer
JBoss by Red Hat
12:17 p.m.
On May 12, 2011, at 7:56 PM, Marcus Moyses wrote:
As Anil said the construct for the JSSE security domains is already
included in AS7 and they are currently part of the <security-domain> element. As we
already have an operation to add security domains I think we are covered for there.
Not sure if we are covered here. I can only tell that there is a security domain called
"other" and that it's required.
But that's about it:
[domain@localhost:9999 /]
/profile=default/subsystem=security:read-children-resources(child-type=security-domain,
recursive=true)
{
"outcome" => "success",
"result" => [("other" => {"authentication" =>
[{
"code" => "UsersRoles",
"flag" => "required"
}]})],
"compensating-operation" => undefined
}
I don't know all the nitty gritty details about the security subsystem and it
management use cases.
But apart from listing the security domains, aren't there other use cases you can
think of?
What about these:
- Creating new security domains? Possible? If so, how?
- Modifications to security domains? Does that make sense?
- [...]
Ike
3:49 p.m.
Hi Heiko,
when you get a chance, please take a look at WebSecurityCERTTestCase in
teststuite2/internals. There you will find an example of a security
domain being created and added to the server. I believe that's the
operation Andy mentioned. We probably need to make an UI that makes it
more intuitive to create the domains but the logic to add security
domains is there. Feel free to ping me if you need help understanding
the internals of a security domain.
On 05/13/2011 07:17 AM, Heiko Braun wrote:
On May 12, 2011, at 7:56 PM, Marcus Moyses wrote:
> As Anil said the construct for the JSSE security domains is already included in AS7
and they are currently part of the<security-domain> element. As we already have an
operation to add security domains I think we are covered for there.
Not sure if we are covered here. I can only tell that there is a security domain called
"other" and that it's required.
But that's about it:
[domain@localhost:9999 /]
/profile=default/subsystem=security:read-children-resources(child-type=security-domain,
recursive=true)
{
"outcome" => "success",
"result" => [("other" => {"authentication"
=> [{
"code" => "UsersRoles",
"flag" => "required"
}]})],
"compensating-operation" => undefined
}
I don't know all the nitty gritty details about the security subsystem and it
management use cases.
But apart from listing the security domains, aren't there other use cases you can
think of?
What about these:
- Creating new security domains? Possible? If so, how?
- Modifications to security domains? Does that make sense?
- [...]
Ike
--
Marcus Moyses
JBoss Core Developer
JBoss by Red Hat
3:58 p.m.
great, thanks. I will take a look at it.
On May 16, 2011, at 3:49 PM, Marcus Moyses wrote:
Hi Heiko,
when you get a chance, please take a look at WebSecurityCERTTestCase in
teststuite2/internals. There you will find an example of a security domain being created
and added to the server. I believe that's the operation Andy mentioned. We probably
need to make an UI that makes it more intuitive to create the domains but the logic to add
security domains is there. Feel free to ping me if you need help understanding the
internals of a security domain.
On 05/13/2011 07:17 AM, Heiko Braun wrote:
>
> On May 12, 2011, at 7:56 PM, Marcus Moyses wrote:
>
>> As Anil said the construct for the JSSE security domains is already included in
AS7 and they are currently part of the<security-domain> element. As we already have
an operation to add security domains I think we are covered for there.
> Not sure if we are covered here. I can only tell that there is a security domain
called "other" and that it's required.
> But that's about it:
>
> [domain@localhost:9999 /]
/profile=default/subsystem=security:read-children-resources(child-type=security-domain,
recursive=true)
> {
> "outcome" => "success",
> "result" => [("other" => {"authentication"
=> [{
> "code" => "UsersRoles",
> "flag" => "required"
> }]})],
> "compensating-operation" => undefined
> }
>
>
> I don't know all the nitty gritty details about the security subsystem and it
management use cases.
> But apart from listing the security domains, aren't there other use cases you can
think of?
> What about these:
>
> - Creating new security domains? Possible? If so, how?
> - Modifications to security domains? Does that make sense?
> - [...]
>
>
> Ike
>
>
>
>
>
--
Marcus Moyses
JBoss Core Developer
JBoss by Red Hat
4730
days inactive
4736
days old
12 comments
4 participants
participants (4)
-
Andrig Miller -
Anil Saldhana -
Heiko Braun -
Marcus Moyses