[JBoss JIRA] (AS7-4693) Implement Trust for users requesting to run as a different user.
by Brian Stansberry (JIRA)
[ https://issues.jboss.org/browse/AS7-4693?page=com.atlassian.jira.plugin.s... ]
Brian Stansberry updated AS7-4693:
----------------------------------
Fix Version/s: 8.0.0.Alpha1
(was: 7.3.0.Alpha1)
> Implement Trust for users requesting to run as a different user.
> ----------------------------------------------------------------
>
> Key: AS7-4693
> URL: https://issues.jboss.org/browse/AS7-4693
> Project: Application Server 7
> Issue Type: Sub-task
> Components: Remoting, Security
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Fix For: 8.0.0.Alpha1
>
>
> Where SASL is used for authentication users can request to authenticate as themselves but to be authorized to connect to the server as a different user.
> A couple of examples where this could be used: -
> - A user granting access to another user to log into their account.
> - A user with two levels of access e.g. normal and admin and requesting they have admin level access.
> Another area we are looking to use this feature is where one server connects to another server but want to be able to run requests on the remote server using the identity of a specified user.
> This Jira issue is to enhance the security realms to allow for trust permissions to be defined - initially this will be local to a single realm but will subsequently be opened up to work across different realms.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 4 months
[JBoss JIRA] (AS7-5901) Connection Reauthentication and Security Propagation
by Brian Stansberry (JIRA)
[ https://issues.jboss.org/browse/AS7-5901?page=com.atlassian.jira.plugin.s... ]
Brian Stansberry updated AS7-5901:
----------------------------------
Fix Version/s: 8.0.0.Alpha1
(was: 7.3.0.Alpha1)
> Connection Reauthentication and Security Propagation
> ----------------------------------------------------
>
> Key: AS7-5901
> URL: https://issues.jboss.org/browse/AS7-5901
> Project: Application Server 7
> Issue Type: Task
> Components: EJB, Remoting, Security
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Fix For: 8.0.0.Alpha1
>
>
> This task is a top level task to coordinate the addition of support for switching to different security identities on an existing connection over Remoting.
> This is to predominantly cover two major scenarios: -
> - Clients using a single connection but require different calls to be executed as different users, in this case the client has the information required to start a new authentication as a different user.
> - Server to server communication where the first server has already authenticated a remote user - for this scenario the first server needs a way to tell the second server what identity to run the call as.
> The following document is building up the requirements and design considerations and decisions: -
> https://community.jboss.org/wiki/ConnectionRe-AuthenticationAndSecurityPr...
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 4 months
[JBoss JIRA] (AS7-6049) Where security services in domain management have a dedicated interface provide a ServiceName factory.
by Brian Stansberry (JIRA)
[ https://issues.jboss.org/browse/AS7-6049?page=com.atlassian.jira.plugin.s... ]
Brian Stansberry updated AS7-6049:
----------------------------------
Fix Version/s: 8.0.0.Alpha1
(was: 7.3.0.Alpha1)
> Where security services in domain management have a dedicated interface provide a ServiceName factory.
> ------------------------------------------------------------------------------------------------------
>
> Key: AS7-6049
> URL: https://issues.jboss.org/browse/AS7-6049
> Project: Application Server 7
> Issue Type: Task
> Components: Domain Management
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Fix For: 8.0.0.Alpha1
>
>
> Update each of the interfaces with a factory for generating the service name.
> {code}
> public static class ServiceNameFactory {
> public ServiceName createServiceName(final String realmName) {
> return null;
> }
> }
> {code}
> Strictly speaking these are not currently expected to be used outside the AS codebase but should they be used outside of the domain-management module this will be the recommended way to generate the service names.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 4 months
[JBoss JIRA] (AS7-4692) Review SecurityContext associations
by Brian Stansberry (JIRA)
[ https://issues.jboss.org/browse/AS7-4692?page=com.atlassian.jira.plugin.s... ]
Brian Stansberry updated AS7-4692:
----------------------------------
Fix Version/s: 8.0.0.Alpha1
(was: 7.3.0.Alpha1)
> Review SecurityContext associations
> ------------------------------------
>
> Key: AS7-4692
> URL: https://issues.jboss.org/browse/AS7-4692
> Project: Application Server 7
> Issue Type: Sub-task
> Components: Security
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Labels: Security_SPI
> Fix For: 8.0.0.Alpha1
>
>
> We should re-review the approach we take for security context association within AS7 containers.
> Back at the time of AS 3 it fairly reliable to assume a 1:1 mapping of thread and client with the incoming connection being allocated it's own thread, this is no longer automatically the case and different containers can use different threading models e.g. using Executors to handle asynchronous requests.
> The problem with using a ThreadLocal approach is that every time a container diverges from the 1:1 mapping of thread and client that container needs to work around the issue of an invalid SecurityContext association.
> One possibility is to pass responsibility for managing the context to the container although this then introduces the question of how it is passed from container to container. This issue needs to consider this further.
> Also need to review further how the security context can be created at all entry points to the server and how it can be manually switched now that we use SASL on entry for remote calls we do now have the opportunity for equivalent behaviour at the entry point for both web and ejb type calls - in the past we only had this opportunity for web based calls and would only create a security context on entering the interceptors for the EJB calls.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 4 months
[JBoss JIRA] (AS7-1712) Implement an account lockout mechanism for domain management.
by Brian Stansberry (JIRA)
[ https://issues.jboss.org/browse/AS7-1712?page=com.atlassian.jira.plugin.s... ]
Brian Stansberry updated AS7-1712:
----------------------------------
Fix Version/s: 8.0.0.Alpha1
(was: 7.3.0.Alpha1)
> Implement an account lockout mechanism for domain management.
> -------------------------------------------------------------
>
> Key: AS7-1712
> URL: https://issues.jboss.org/browse/AS7-1712
> Project: Application Server 7
> Issue Type: Task
> Components: Domain Management, Security
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Labels: Common_Authentication, Realm_Management
> Fix For: 8.0.0.Alpha1
>
>
> One issue to consider is that we are using realms to integrate with existing user stores so may not be able to update the remote store: -
> - Consider an option to update the remote store if possible.
> - If not cache a backlisted user until an admin unlocks that account
> Before being implemented this feature will require further discussion, in additional to locking mechanisms for unlocking should also be considered and also the potentional for denail of service type attacks based on locking out the administrators.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 4 months