Do we have a list of the types of things that need restricting, and how we intend to
restrict them (e.g. CDI beans, EJBs, JAX-RS endpoints, servlets…)
On 2 May 2013, at 17:38, Anil Saldhana <Anil.Saldhana(a)redhat.com> wrote:
That is fine. Timo should be secured with PicketLink Core alone.
Right
now, authz classes are the missing bits.
On 05/02/2013 10:56 AM, Pedro Igor Silva wrote:
> I remember Shane saying that he is going to take a look at the permissions api,
mainly after the latest changes to the idm/core apis.
>
> I can start looking at that too, if necessary. Maybe providing some test cases to see
the gaps (also provide some tests for the authentication stuff).
>
> ----- Original Message -----
> From: "Anil Saldhana" <Anil.Saldhana(a)redhat.com>
> To: security-dev(a)lists.jboss.org
> Sent: Thursday, May 2, 2013 12:31:26 PM
> Subject: Re: [security-dev] Authorization constructs in PicketLink3
>
> Right Pete - I do mention in the thread. I was referring to users
> wanting alternative authorization mechanisms such as
> that driven by Drools (as in Seam2) and maybe XACML. :) Ideally, the
> default authz mechanism by the rbac filter
> should be the permissions module.
>
> On 05/02/2013 10:24 AM, Pete Muir wrote:
>> Isn't this what the permissions module is for (API/SPI for authorisation)? I
know it's not finished, but I think we have time to do that for 3.0…
>>
>> We then add things like the RBAC filter delegating to it.
>>
>> On 2 May 2013, at 16:21, Anil Saldhana <Anil.Saldhana(a)redhat.com> wrote:
>>
>>> That is what I meant by pluggable. But we need to be aware of
>>> dependencies getting pulled into core. We
>>> do not want a dependency on drools, for example, to use core. If users
>>> want some particular authz stuff,
>>> they should be able to pull in those dependencies.
>>>
>>> I do not know yet how to get that done. ;)
>>>
>>> On 05/02/2013 09:54 AM, Pedro Igor Silva wrote:
>>>> Maybe something we started with PicketBox, using Drools for rule-based
authz, pluggable authz managers, etc.
>>>>
>>>> JBoss Seam 2 also supports Drools for authorization ....
>>>>
>>>> ----- Original Message -----
>>>> From: "Anil Saldhana" <Anil.Saldhana(a)redhat.com>
>>>> To: security-dev(a)lists.jboss.org
>>>> Sent: Thursday, May 2, 2013 11:38:40 AM
>>>> Subject: Re: [security-dev] Authorization constructs in PicketLink3
>>>>
>>>> We have to remember the permission model work using IDM.
>>>>
>>>> I wonder if this filter can use pluggable authorization mechanisms, then
>>>> maybe the perfect start.
>>>>
>>>> On 05/02/2013 09:36 AM, Pedro Igor Silva wrote:
>>>>> I was looking at the
org.picketlink.authentication.web.AuthenticationFilter. This class resides on core-api and
we did it given some input from AG for DIGEST and BASIC authentication.
>>>>>
>>>>> Wondering if the authz filter we did for TIMO does not fit in the
same case.
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "Anil Saldhana" <Anil.Saldhana(a)redhat.com>
>>>>> To: security-dev(a)lists.jboss.org
>>>>> Sent: Tuesday, April 30, 2013 11:42:25 AM
>>>>> Subject: [security-dev] Authorization constructs in PicketLink3
>>>>>
>>>>> Shane/Pedro - we should start discussing the constructs for
>>>>> authorization in PL3. We have a few options on the table. We need
to
>>>>> figure out what we need such that for PL3 users, we have some
options.
>>>>> Lets use this thread to figure out the various options/strategies.
>>>>>
>>>>>
>>>>>
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev