[
https://issues.jboss.org/browse/WFLY-1067?page=com.atlassian.jira.plugin....
]
David Lloyd commented on WFLY-1067:
-----------------------------------
This is a good writeup, thanks Richard.
I have a few additional comments:
* While usage of SASL without integrity/encryption support might be considered to be
"not fully utilizing SASL", I'd like to point out that recent SASL
mechanisms such as SCRAM no longer recommend or support encryption in any case, and
recommend other options (SSL, channel binding) which provide other, more secure,
encryption and integrity mechanisms. Instead modern SASL mechanisms focus on securing the
authentication process itself, which (it seems to me) is still well-aligned with the point
of using SASL in JGroups, which is to simply cover authentication in a secure,
standards-adherent manner. So I recommend not worrying too much about QOP when you're
considering the usage of SASL for new applications.
* The Elytron SPI is intended to be able to integrate at a lower level with authentication
processes like this one. This means two things:
*# If you elect to use SASL, that integration should be particularly seamless and simple.
*# If you continue to support AUTH, you should have a much easier time acquiring and using
credentials.
* In the short term, if you want to make this work *now*, I'd say you should do
whatever you have to do to make it work sensibly. No hack is too ugly. :)
* In the medium to long term, please do communicate with the Elytron developers to ensure
that any special requirements you have will be met.
Integrate JGroups with core AS security infrastructure
------------------------------------------------------
Key: WFLY-1067
URL:
https://issues.jboss.org/browse/WFLY-1067
Project: WildFly
Issue Type: Feature Request
Components: Clustering, Security
Reporter: Brian Stansberry
Assignee: Richard Achmatowicz
Container task for better integrating JGroups security with overall AS security. The
basic concept is the various security aware aspects of JGroups will expose an SPI, and the
AS can create implementations of those SPIs that integrate with the AS security realms.
The AS JGroups subsystem will inject the implementation into the JGroups runtime
components.
Subtasks are for the various aspects. These can be done separately but a common overall
design should be created to ensure a consistent approach is taken.
--
This message was sent by Atlassian JIRA
(v6.3.1#6329)