February 2014 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFLY-415) Add Full Kerberos Support

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-415?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated WFLY-415: ---------------------------------- Labels: management_security, (was: ) > Add Full Kerberos Support > ------------------------- > > Key: WFLY-415 > URL: https://issues.jboss.org/browse/WFLY-415 > Project: WildFly > Issue Type: Task > Security Level: Public(Everyone can see) > Components: Domain Management, Security > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Labels: management_security, > Fix For: 9.0.0.CR1 > > > There are a number of steps required to full add Kerberos support - this is a top level tracking task to be resolved once all steps are complete. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

12 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-421) Domain Mode JMX access through the HostController

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-421?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse commented on WFLY-421: --------------------------------------- If the other issues with the JMX console are addressed this could also allow us to expose the JMX console from the host controller and delegate the JMX calls through to the individual app server instances. > Domain Mode JMX access through the HostController > ------------------------------------------------- > > Key: WFLY-421 > URL: https://issues.jboss.org/browse/WFLY-421 > Project: WildFly > Issue Type: Task > Security Level: Public(Everyone can see) > Components: JMX, Remoting > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Labels: JMX, investigation_required > Fix For: 9.0.0.CR1 > > > This task is first to review if this should be considered. > At the moment access to JMX is provided through the remoting connector of each AS instance - this task is to consider if we should actually make it available through the host controller with the host controller acting as a proxy. > The main motivation being to separate management and app traffic. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

12 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-421) Domain Mode JMX access through the HostController

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-421?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated WFLY-421: ---------------------------------- Labels: JMX investigation_required (was: JMX) > Domain Mode JMX access through the HostController > ------------------------------------------------- > > Key: WFLY-421 > URL: https://issues.jboss.org/browse/WFLY-421 > Project: WildFly > Issue Type: Task > Security Level: Public(Everyone can see) > Components: JMX, Remoting > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Labels: JMX, investigation_required > Fix For: 9.0.0.CR1 > > > This task is first to review if this should be considered. > At the moment access to JMX is provided through the remoting connector of each AS instance - this task is to consider if we should actually make it available through the host controller with the host controller acting as a proxy. > The main motivation being to separate management and app traffic. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

12 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-447) Connection Reauthentication and Security Propagation

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-447?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated WFLY-447: ---------------------------------- Labels: authentication_service (was: ) > Connection Reauthentication and Security Propagation > ---------------------------------------------------- > > Key: WFLY-447 > URL: https://issues.jboss.org/browse/WFLY-447 > Project: WildFly > Issue Type: Task > Security Level: Public(Everyone can see) > Components: EJB, Remoting, Security > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Labels: authentication_service > Fix For: 9.0.0.CR1 > > > This task is a top level task to coordinate the addition of support for switching to different security identities on an existing connection over Remoting. > This is to predominantly cover two major scenarios: - > - Clients using a single connection but require different calls to be executed as different users, in this case the client has the information required to start a new authentication as a different user. > - Server to server communication where the first server has already authenticated a remote user - for this scenario the first server needs a way to tell the second server what identity to run the call as. > The following document is building up the requirements and design considerations and decisions: - > https://community.jboss.org/wiki/ConnectionRe-AuthenticationAndSecurityPr... -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

12 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-442) Review of AccessController and PrivilegedAction use across AS7

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-442?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated WFLY-442: ---------------------------------- Labels: investigation_required (was: ) > Review of AccessController and PrivilegedAction use across AS7 > -------------------------------------------------------------- > > Key: WFLY-442 > URL: https://issues.jboss.org/browse/WFLY-442 > Project: WildFly > Issue Type: Task > Security Level: Public(Everyone can see) > Components: Security > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Labels: investigation_required > Fix For: 9.0.0.CR1 > > > The following needs reviewing across AS7: - > - On demand instantiation of PrivilegedActions where singletons would suffice (Consider frequency of calls, gc may be preferable). > - Use of AccessController even though there is no SecurityManager set. > - Code duplication, in every case I have seen so far the code is the same regardless of if PRIVILEGED or NON_PRIVILEGED > - Utility methods with visibility too high. > - In depth review of the other methods, i.e. if the first thing a public method does is set the class loader based on a parameter passed in it could be used badly - it may even be a justification for that method to NOT use a PrivilegedAction. > - Code that requires to be executed using a PrivilegedAction should also be double checked that it is not doing too much as the identity of the caller. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

12 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-431) Revisit enforcement of required file system permissions.

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-431?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated WFLY-431: ---------------------------------- Labels: management_security, (was: ) > Revisit enforcement of required file system permissions. > -------------------------------------------------------- > > Key: WFLY-431 > URL: https://issues.jboss.org/browse/WFLY-431 > Project: WildFly > Issue Type: Task > Security Level: Public(Everyone can see) > Components: Domain Management > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Labels: management_security, > Fix For: 9.0.0.CR1 > > > Now that AS8 has moved to Java 7 we can re-visit the level of control we have over file system permissions, this can be from taking more control of the local authentication mechanism to ensure incorrect permissions are not inherited to verifying sensitive configuration files are not world readable. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

12 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-464) Domain Management - Add support for database authentication.

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-464?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated WFLY-464: ---------------------------------- Fix Version/s: (was: 9.0.0.CR1) > Domain Management - Add support for database authentication. > ------------------------------------------------------------ > > Key: WFLY-464 > URL: https://issues.jboss.org/browse/WFLY-464 > Project: WildFly > Issue Type: Task > Security Level: Public(Everyone can see) > Components: Domain Management, Security > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > > It should be possible to define a database authentication element for authentication of incoming connections against a database. > Ideally the password should be obtainable from the database to allow us to use DIGEST authentication but if not a fallback to verify the password should be supported. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

12 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-460) Switchable Nonce Handling Strategy for HTTP DigestAuthenticator

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-460?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated WFLY-460: ---------------------------------- Fix Version/s: (was: 9.0.0.CR1) > Switchable Nonce Handling Strategy for HTTP DigestAuthenticator > --------------------------------------------------------------- > > Key: WFLY-460 > URL: https://issues.jboss.org/browse/WFLY-460 > Project: WildFly > Issue Type: Task > Security Level: Public(Everyone can see) > Components: Security > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Labels: Common_Authentication > > Allow the nonce strategy to be switchable: - > 1 - Real 'Number Used Once' - i.e. new nonce for each request. > 2 - Nonce per connection i.e. as long as a connection is kept alive allow re-use of nonce - new nonce on new connection. > 3 - Timed nonce - Generate a nonce with a server secret and timestamp, nonce will be accepted for a validity period. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

12 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-448) Authorization Checks for Services over Remoting

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-448?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated WFLY-448: ---------------------------------- Fix Version/s: (was: 9.0.0.CR1) > Authorization Checks for Services over Remoting > ----------------------------------------------- > > Key: WFLY-448 > URL: https://issues.jboss.org/browse/WFLY-448 > Project: WildFly > Issue Type: Task > Security Level: Public(Everyone can see) > Components: Security > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Labels: Authorization > > As all services are now moving to be exposed over Remoting connectors they can all be secured using the same realm. This task is to ensure each at the very least has a basis for an authorization check that can be extended for more complex service specific requirements. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

12 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-482) Domain Management - Enable silent authentication using Kerberos

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-482?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated WFLY-482: ---------------------------------- Labels: Common_Authentication Kerberos, web_security (was: Common_Authentication Kerberos,) > Domain Management - Enable silent authentication using Kerberos > --------------------------------------------------------------- > > Key: WFLY-482 > URL: https://issues.jboss.org/browse/WFLY-482 > Project: WildFly > Issue Type: Sub-task > Security Level: Public(Everyone can see) > Components: Domain Management, Security > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Labels: Common_Authentication, Kerberos,, web_security > Fix For: 9.0.0.CR1 > > > It should be possible for users to authenticate for domain management using Kerberos. > Over the HTTP interface this will be SPNEGO, for the Native connection we use SASL so can use GSSAPI -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

12 years, 3 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira February 2014