]
Jason Greene moved JBEAP-13091 to WFCORE-3267:
----------------------------------------------
Project: WildFly Core (was: JBoss Enterprise Application Platform)
Key: WFCORE-3267 (was: JBEAP-13091)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: Security
(was: Security)
Affects Version/s: (was: 7.1.0.CR1)
Authorization identity forwarding not exposed to configuration
--------------------------------------------------------------
Key: WFCORE-3267
URL:
https://issues.jboss.org/browse/WFCORE-3267
Project: WildFly Core
Issue Type: Bug
Components: Security
Reporter: Jason Greene
Assignee: Jason Greene
Priority: Blocker
As part of EAP7-284, Elytron was designed for and contains implementation to support
trusted use of identities between peers in addition to credential forwarding. Cases in
which one would prefer this approach include:
* Scenarios where the user has requirements to not send passwords over the wire. Notably
credential forwarding requires TLS and/or secure networks
* Setups where an authentication type that does not support credential forwarding are
used (credential forwarding is limited to Plain, Form, and OAuth, all other mechanisms,
including the out of the box Digest auth of EAP are not)
* Environments where its desired to limit which systems are allowed to receive requests
which are propagated
Due to an oversight this capability was not properly wired to the server configuration
(nor a config method on the Elytron API).