I want to dedicate this thread to the web layer security in AS7.
For Web applications to utilize JACC or XACML authorization, we need the web authorization checks to go through the JBoss Security authorization stack. This is not needed for majority of applications (which just rely on what is provided by spec/RealmBase authorization checks).
I think we should make the access checks to go through our authorization stack only when desired.
JBossWebRealm:-
protected boolean useAuthorizationStack = false; //Default behavior
This property needs to be used based on the domain model settings. Additionally, the realm should be customizable based on individual web apps (via domain model).
Additionally, we just need one security valve to incorprate what the JaccContextValve, SecurityAssociationValve etc did in AS5/6 in a very minimalistic way. Certainly JSR-196 is something to keep in mind here.
Things to note:
- Minimize the access control checks.
- Realm settings can be available at per web app level.
- Ability to incorporate behavior at web app level (such as SSO) based on domain model settings. It should be possible to enable SAMLv2 SSO at the web app level using the default IDP that can be shipped with AS7.