Anil Saldhana [
http://community.jboss.org/people/anil.saldhana%40jboss.com] created the
discussion
"AS7: Web Security - JBossWebRealm"
To view the discussion, visit:
http://community.jboss.org/message/579656#579656
--------------------------------------------------------------
I want to dedicate this thread to the web layer security in AS7.
For Web applications to utilize JACC or XACML authorization, we need the web authorization
checks to go through the JBoss Security authorization stack. This is not needed for
majority of applications (which just rely on what is provided by spec/RealmBase
authorization checks).
I think we should make the access checks to go through our authorization stack only when
desired.
JBossWebRealm:-
protected boolean useAuthorizationStack = false; //Default behavior
This property needs to be used based on the domain model settings. Additionally, the
realm should be customizable based on individual web apps (via domain model).
Additionally, we just need one security valve to incorprate what the JaccContextValve,
SecurityAssociationValve etc did in AS5/6 in a very +minimalistic+ way. Certainly JSR-196
is something to keep in mind here.
*Things to note:*
1. Minimize the access control checks.
2. Realm settings can be available at per web app level.
3. Ability to incorporate behavior at web app level (such as SSO) based on domain model
settings. It should be possible to enable SAMLv2 SSO at the web app level using the
default IDP that *can* be shipped with AS7.
--------------------------------------------------------------
Reply to this message by going to Community
[
http://community.jboss.org/message/579656#579656]
Start a new discussion in PicketBox Development at Community
[
http://community.jboss.org/choose-container!input.jspa?contentType=1&...]