jboss-metadata-Beta14 is already being used in pom.xml so you already have the parsing of disable-audit element in jboss-web.xml. On 10/18/2011 12:09 PM, Anil Saldhana wrote: > Marcus, > this is in regard to your proposed changes to JBossWebRealm for the > authorization bits. > > https://github.com/mmoyses/jboss-as/commit/ba3c43f8dfc9c201098392c5ebf904... > > Previously, AS5/6, we had the JBoss Authorization enabled by default. > IMO for AS7, you have taken the right approach to allow user to > configure whether to use JBoss Authz via jboss-web.xml setting. > > We need to get this merged asap such that I can finish the auditing task > I am currently working on. > > Regards, > Anil

On 10/18/11 9:09 AM, Anil Saldhana wrote: > Marcus, > this is in regard to your proposed changes to JBossWebRealm for the > authorization bits. > > https://github.com/mmoyses/jboss-as/commit/ba3c43f8dfc9c201098392c5ebf904... > > > Previously, AS5/6, we had the JBoss Authorization enabled by default. > IMO for AS7, you have taken the right approach to allow user to > configure whether to use JBoss Authz via jboss-web.xml setting. > > We need to get this merged asap such that I can finish the auditing task > I am currently working on. Just work off his commit then. That's the whole point of GIT, that a developer doesn't race getting their commits in.

Marcus, this is in regard to your proposed changes to JBossWebRealm for the authorization bits. https://github.com/mmoyses/jboss-as/commit/ba3c43f8dfc9c201098392c5ebf904... Previously, AS5/6, we had the JBoss Authorization enabled by default. IMO for AS7, you have taken the right approach to allow user to configure whether to use JBoss Authz via jboss-web.xml setting.

Marcus, this is in regard to your proposed changes to JBossWebRealm for the authorization bits. https://github.com/mmoyses/jboss-as/commit/ba3c43f8dfc9c201098392c5ebf904... Previously, AS5/6, we had the JBoss Authorization enabled by default. IMO for AS7, you have taken the right approach to allow user to configure whether to use JBoss Authz via jboss-web.xml setting. We need to get this merged asap such that I can finish the auditing task I am currently working on. Regards, Anil _______________________________________________ jboss-as7-dev mailing list jboss-as7-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-as7-dev

Bill, I agree on the usable security part of the arguments and we will do whatever we can. Typically, I write articles such as the ones for JBoss AS5.1 http://java.dzone.com/users/janilsal This is what I have for AS7.1 http://community.jboss.org/wiki/JBossAS7SecurityDomainModel http://community.jboss.org/wiki/JBossAS7SecurityAuditing I will provide a writeup on the EE web security you have asked for, later in the day. Regards, Anil On 10/18/2011 10:33 AM, Bill Burke wrote: > Would be cool to see a very small writeup (even just an example > web.xml/jboss-web.xml) that shows: > > a) What we *have* to support because of Java EE 6. > > b) What we *actually* want users to use. > > Having feature checkmarks is great, but these security interfaces really > need a facelift. It still doesn't seem like a lot of effort is being > put into the usability of both consuming a security plugin and writing one. > > On 10/18/11 10:09 AM, Anil Saldhana wrote: >> Marcus, >> this is in regard to your proposed changes to JBossWebRealm for the >> authorization bits. >> >> https://github.com/mmoyses/jboss-as/commit/ba3c43f8dfc9c201098392c5ebf904... >> >> Previously, AS5/6, we had the JBoss Authorization enabled by default. >> IMO for AS7, you have taken the right approach to allow user to >> configure whether to use JBoss Authz via jboss-web.xml setting. >> >> We need to get this merged asap such that I can finish the auditing task >> I am currently working on. >> >> Regards, >> Anil _______________________________________________ jboss-as7-dev mailing list jboss-as7-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-as7-dev