[JBoss JIRA] (ELY-174) HTTP Authentication
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-174?page=com.atlassian.jira.plugin.sy... ]
Darran Lofthouse updated ELY-174:
---------------------------------
Component/s: HTTP
> HTTP Authentication
> -------------------
>
> Key: ELY-174
> URL: https://issues.jboss.org/browse/ELY-174
> Project: WildFly Elytron
> Issue Type: Feature Request
> Components: HTTP
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Fix For: 1.0.0.Alpha1
>
>
> So far we have been very focussed on the SASL side of authentication, similar capabilities are required for HTTP - the difference being that SASL is based on selecting one at a time, HTTP all mechanisms need to run concurrently.
--
This message was sent by Atlassian JIRA
(v6.3.11#6341)
11 years, 3 months
[JBoss JIRA] (ELY-175) SASL mechanism availability should take into account credential support.
by Darran Lofthouse (JIRA)
Darran Lofthouse created ELY-175:
------------------------------------
Summary: SASL mechanism availability should take into account credential support.
Key: ELY-175
URL: https://issues.jboss.org/browse/ELY-175
Project: WildFly Elytron
Issue Type: Feature Request
Components: SASL
Reporter: Darran Lofthouse
Fix For: 1.0.0.Alpha1
One of the main reasons for having a getCredentialSupport API is so that we select appropriate authentication mechanisms based on the credentials available to us or the level of validation possible.
This should also consider advertising all variants of a mechanism or strongest only.
I will mention it here but we may want as a separate task some form of downgrade detection as this could be a sign of a malicious MITM.
--
This message was sent by Atlassian JIRA
(v6.3.11#6341)
11 years, 3 months
[JBoss JIRA] (WFCORE-43) Clarify the meaning of the 'server-state' and 'host-state' attributes
by luck3y (JIRA)
[ https://issues.jboss.org/browse/WFCORE-43?page=com.atlassian.jira.plugin.... ]
luck3y updated WFCORE-43:
-------------------------
Description:
This JIRA is to implement what I described in the dev list discussion around the various states a server can be in for graceful shutdown (http://lists.jboss.org/pipermail/wildfly-dev/2014-June/002360.html)
"I do think these are orthogonal and should not be combined.
The existing attribute is fundamentally about how the state of the
runtime services relates to the persistent configuration.
STARTING == out of sync due to still getting in sync during start
RUNNING == in sync
RELOAD_REQUIRED = out of sync, needs a reload to get in sync
RESTART_REQUIRED = out of sync, needs a full process restart to get in sync
There are two problems though with the existing attribute that exposes this:
1) It's named "server-state" on a server and "host-state" on a Host
Controller. Really crappy name; way too broad.
That's fixable by creating a new attribute and making the old one an
alias for compatibility purposes.
2) The RUNNING state is really poorly named.
The could perhaps be fixed by coming up with a new name and translating
it back to "RUNNING" in the handlers for the legacy "server-state" and
"host-state" attributes."
was:
This JIRA is to implement what I described in the dev list discussion around the various states a server can be in for graceful shutdown (http://lists.jboss.org/pipermail/wildfly-dev/2014-June/002360.html)
"I do think these are orthogonal and should not be combined.
The existing attribute is fundamentally about how the state of the
runtime services relates to the persistent configuration.
STARTING == out of sync due to still getting in sync during start
RUNNING == in sync
RELOAD_REQURIRED = out of sync, needs a reload to get in sync
RESTART_REQUIRED = out of sync, needs a full process restart to get in sync
There are two problems though with the existing attribute that exposes this:
1) It's named "server-state" on a server and "host-state" on a Host
Controller. Really crappy name; way too broad.
That's fixable by creating a new attribute and making the old one an
alias for compatibility purposes.
2) The RUNNING state is really poorly named.
The could perhaps be fixed by coming up with a new name and translating
it back to "RUNNING" in the handlers for the legacy "server-state" and
"host-state" attributes."
> Clarify the meaning of the 'server-state' and 'host-state' attributes
> ---------------------------------------------------------------------
>
> Key: WFCORE-43
> URL: https://issues.jboss.org/browse/WFCORE-43
> Project: WildFly Core
> Issue Type: Enhancement
> Components: Domain Management
> Reporter: Brian Stansberry
> Assignee: luck3y
> Fix For: 1.0.0.CR1
>
>
> This JIRA is to implement what I described in the dev list discussion around the various states a server can be in for graceful shutdown (http://lists.jboss.org/pipermail/wildfly-dev/2014-June/002360.html)
> "I do think these are orthogonal and should not be combined.
> The existing attribute is fundamentally about how the state of the
> runtime services relates to the persistent configuration.
> STARTING == out of sync due to still getting in sync during start
> RUNNING == in sync
> RELOAD_REQUIRED = out of sync, needs a reload to get in sync
> RESTART_REQUIRED = out of sync, needs a full process restart to get in sync
> There are two problems though with the existing attribute that exposes this:
> 1) It's named "server-state" on a server and "host-state" on a Host
> Controller. Really crappy name; way too broad.
> That's fixable by creating a new attribute and making the old one an
> alias for compatibility purposes.
> 2) The RUNNING state is really poorly named.
> The could perhaps be fixed by coming up with a new name and translating
> it back to "RUNNING" in the handlers for the legacy "server-state" and
> "host-state" attributes."
--
This message was sent by Atlassian JIRA
(v6.3.11#6341)
11 years, 3 months
[JBoss JIRA] (ELY-174) HTTP Authentication
by Darran Lofthouse (JIRA)
Darran Lofthouse created ELY-174:
------------------------------------
Summary: HTTP Authentication
Key: ELY-174
URL: https://issues.jboss.org/browse/ELY-174
Project: WildFly Elytron
Issue Type: Feature Request
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: 1.0.0.Alpha1
So far we have been very focussed on the SASL side of authentication, similar capabilities are required for HTTP - the difference being that SASL is based on selecting one at a time, HTTP all mechanisms need to run concurrently.
--
This message was sent by Atlassian JIRA
(v6.3.11#6341)
11 years, 3 months
[JBoss JIRA] (WFLY-4502) Don't reject transformation if default-stack is not defined for pre-3.0 versions of JGroups subsystem model
by Paul Ferraro (JIRA)
Paul Ferraro created WFLY-4502:
----------------------------------
Summary: Don't reject transformation if default-stack is not defined for pre-3.0 versions of JGroups subsystem model
Key: WFLY-4502
URL: https://issues.jboss.org/browse/WFLY-4502
Project: WildFly
Issue Type: Enhancement
Components: Clustering
Affects Versions: 9.0.0.Beta2
Reporter: Paul Ferraro
Assignee: Paul Ferraro
Currently, we require the default stack to be defined in order for the transformation to pre-3.0 versions of the model to succeed. We should be able to create an attribute converter that uses the stack of the default channel in the event that the default stack was not defined.
--
This message was sent by Atlassian JIRA
(v6.3.11#6341)
11 years, 3 months
[JBoss JIRA] (WFCORE-639) ManagementPermissionAuthorizer is limited to the standard roles for its authorizeJmxOperation impl
by Brian Stansberry (JIRA)
Brian Stansberry created WFCORE-639:
---------------------------------------
Summary: ManagementPermissionAuthorizer is limited to the standard roles for its authorizeJmxOperation impl
Key: WFCORE-639
URL: https://issues.jboss.org/browse/WFCORE-639
Project: WildFly Core
Issue Type: Bug
Components: Domain Management
Reporter: Brian Stansberry
ManagementPermissionAuthorizer.authorizeJmxOperation uses hard coded decision making based on the standard 7 roles. This is inflexible and specifically doesn't allow scoped roles to function properly.
I believe the JmxPermissionFactory interface needs to be redone to use permissions instead of role names. It should have an API more like org.jboss.as.controller.access.permission.PermissionFactory, with getUserPermissions and getRequiredPermissions. Something like
PermissionCollection getUserPermissions(Caller caller, Environment callEnvironment, JmxAction action)
PermissionCollection getRequiredPermissions(JmxAction action);
Then ManagementPermissionAuthorizer.authorizeJmxOperation does a permission match check similar to what it does for management resource permissions.
--
This message was sent by Atlassian JIRA
(v6.3.11#6341)
11 years, 3 months