Re: [wildfly-dev] New security sub-project: WildFly Elytron

The following are presently non- or anti-goals: • Any provision to support JAAS Subject as a security context (due to performance and correctness concerns)† • Any provision to support JAAS LoginContext (due to tight integration with Subject) • Any provision to maintain API compatibility with PicketBox (this is not presently an established requirement and thus would add undue implementation complexity, if it is indeed even possible) • Replicate Kerberos-style ticket-based credential forwarding (just use Kerberos in this case) † You may note that this is in contrast with a previous post to the AS 7 list [9] in which I advocated simply unifying on Subject. Subsequent research uncovered a number of performance and implementation weaknesses in JAAS that have since convinced the security team that we should no longer be relying on it.