Heiko Braun [
https://community.jboss.org/people/heiko.braun] commented on the document
"Access control notes"
To view all comments on this document, visit:
https://community.jboss.org/docs/DOC-48596#comment-11952
--------------------------------------------------
consolidate all security configuration in the security
"subsystem"
we just need to be clear about the distinction between
application level security and domain level security. lack of separation leads to the
question how the access control for different roles (i.e. operator vs admin security
manager) can be realized.
an operator should be able to modify the application level security but prevented from
accessing the domain level security. now if evething resides with the secuirty subsystem,
we would either need very fine grained access control rules or a strict separation. My gut
feeling tells the later is more comprehensible.
--------------------------------------------------