[JBoss JIRA] (AS7-4692) Review SecurityContext associations
by Darran Lofthouse (JIRA)
Darran Lofthouse created AS7-4692:
-------------------------------------
Summary: Review SecurityContext associations
Key: AS7-4692
URL: https://issues.jboss.org/browse/AS7-4692
Project: Application Server 7
Issue Type: Task
Components: Security
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: 7.2.0.Alpha1
We should re-review the approach we take for security context association within AS7 containers.
Back at the time of AS 3 it fairly reliable to assume a 1:1 mapping of thread and client with the incoming connection being allocated it's own thread, this is no longer automatically the case and different containers can use different threading models e.g. using Executors to handle asynchronous requests.
The problem with using a ThreadLocal approach is that every time a container diverges from the 1:1 mapping of thread and client that container needs to work around the issue of an invalid SecurityContext association.
One possibility is to pass responsibility for managing the context to the container although this then introduces the question of how it is passed from container to container. This issue needs to consider this further.
Also need to review further how the security context can be created at all entry points to the server and how it can be manually switched now that we use SASL on entry for remote calls we do now have the opportunity for equivalent behaviour at the entry point for both web and ejb type calls - in the past we only had this opportunity for web based calls and would only create a security context on entering the interceptors for the EJB calls.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 7 months
[JBoss JIRA] (AS7-4693) Revisit authenticated user / authorized user split
by Darran Lofthouse (JIRA)
Darran Lofthouse created AS7-4693:
-------------------------------------
Summary: Revisit authenticated user / authorized user split
Key: AS7-4693
URL: https://issues.jboss.org/browse/AS7-4693
Project: Application Server 7
Issue Type: Task
Components: Remoting, Security
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: 7.2.0.Alpha1
When establishing a connection a remote user can specify the user they want to be authorized as which can be different to the user they authenticate as, e.g. a user with appropriate permissions may want to connect as an administrator or a user given access to someone elses account may want to connect as them.
We need to re-visit this including validation that they can connect as the user they are asking to.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 7 months
[JBoss JIRA] (AS7-5047) Allow more control over authentication for server to server communication through remote-outbound-connection
by jaikiran pai (JIRA)
jaikiran pai created AS7-5047:
---------------------------------
Summary: Allow more control over authentication for server to server communication through remote-outbound-connection
Key: AS7-5047
URL: https://issues.jboss.org/browse/AS7-5047
Project: Application Server 7
Issue Type: Feature Request
Components: Security
Affects Versions: 7.1.2.Final (EAP), 7.1.1.Final
Reporter: jaikiran pai
Assignee: Anil Saldhana
Right now for server to server communication via a remote-outbound-connection, we expect a static username to be specified (along with the security realm). User applications which use this remote-outbound-connection, for example an EJB application, do not have much control over the user/pass information, since the username is static. This further acts a drawback since the username that's used to connect to the remote server will be used as the (application) user who invoked the EJB.
It would be good to allow more control over the authentication for the remote-outbound-connection.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 7 months
[JBoss JIRA] Created: (JBRULES-3155) Bug with default properties in KnowledgeStoreServiceImpl
by Pavel Sknar (JIRA)
Bug with default properties in KnowledgeStoreServiceImpl
--------------------------------------------------------
Key: JBRULES-3155
URL: https://issues.jboss.org/browse/JBRULES-3155
Project: Drools
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: drools-core
Affects Versions: 5.2.0.Final
Reporter: Pavel Sknar
Assignee: Mark Proctor
Priority: Critical
Method setDefaultImplementations() set default properties in configProps (class KnowledgeStoreServiceImpl). mergeConfig() execute after specific properties loaded to configuration. This overlaps specific properties.
[17:08] <pavlz> hi
[17:09] <pavlz> I have bug for you
[17:09] <Rikkola> :(
[17:10] <pavlz> Problem with KnowledgeStoreServiceImpl
[17:10] <pavlz> in org.drools.persistence.jpa
[17:12] <pavlz> default properties merged first in config (in ChainedProperties: this.props.add( 0, properties ))
[17:14] <pavlz> and this overlaps specific properties
[17:15] <pavlz> drools.commandService, drools.timerService and else
[17:15] <pavlz> I have this bug in 5.2.0.Final
[17:23] <conan> pavlz: do you have a fix?
[17:25] <pavlz> No, I see this now
[17:27] <pavlz> but I think: need to create in ChainedProperties new method "setDefaultProperties"
[17:29] <pavlz> and in SessionConfiguration too, to use this method in KnowledgeStoreServiceImpl.mergeConfig()
[17:30] <pavlz> then default properties loaded later
[17:31] <Rikkola> pavlz: best to make a jira about it
[17:31] <Rikkola> https://issues.jboss.org/browse/JBRULES
[17:31] <pavlz> ok
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 7 months
[JBoss JIRA] (AS7-3691) A Negotiated HTTP Authenticator
by Darran Lofthouse (JIRA)
Darran Lofthouse created AS7-3691:
-------------------------------------
Summary: A Negotiated HTTP Authenticator
Key: AS7-3691
URL: https://issues.jboss.org/browse/AS7-3691
Project: Application Server 7
Issue Type: Task
Components: Domain Management, Security, Web
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Historically we have become constrained by an assumption that there should be a single authentication mechanism assigned to a web application.
The HTTP specification however allows for multiple mechanisms to be used in parallel - this task is to investigate the feasibility of writing a single authenticator that is compatible with both JBoss Web and the Sun HTTP server used within AS7 to support a negotiated authentication using a single authenticator backed by a CallbackHandler based realm.
The most common example is fallback from SPNEGO to a username / password based mechanism but for domain management we have also a case of trying to use CLIENT-CERT authentication first and then fallback if that is not possible.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 7 months
[JBoss JIRA] (AS7-4224) Please add a more intuitive way to configure access logging
by Alex Holmansky (JIRA)
Alex Holmansky created AS7-4224:
-----------------------------------
Summary: Please add a more intuitive way to configure access logging
Key: AS7-4224
URL: https://issues.jboss.org/browse/AS7-4224
Project: Application Server 7
Issue Type: Enhancement
Components: CLI, Console
Affects Versions: 7.1.0.Final
Environment: Windows 7, CentOS 6
Reporter: Alex Holmansky
Assignee: Alexey Loubyansky
Priority: Minor
There's currently no intuitive way to configure access logging in the web subsystem. In the CLI I can get to what seems like the right area:
[standalone@localhost:9999 /] cd /subsystem=web/virtual-server=default-host
[standalone@localhost:9999 virtual-server=default-host] ls
access-log rewrite
sso alias=["localhost","example.com"]
default-web-module=ROOT.war enable-welcome-root=true
and even
[standalone@localhost:9999 virtual-server=default-host] cd access-log
[standalone@localhost:9999 access-log] pwd
/subsystem=web/virtual-server=default-host/access-log
but it's absolutely unclear what to do next.
In the web Admin Console this should be under Web->Servlet/HTTP->Virtual Servers, but is missing.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 7 months