Re: [wildfly-dev] New security sub-project: WildFly Elytron
+1 Recently looking at how different JDBC driver vendors, and different
JDK vendors interpret the use of JAAS for Kerberos propagation there are
a lot of different interpretation of the same spec / APIs!!
On 04/06/14 21:34, David M. Lloyd wrote:
On 06/04/2014 02:40 PM, Radoslaw Rodak wrote:
>> The following are presently non- or anti-goals:
>>
>> • Any provision to support JAAS Subject as a security context (due to
>> performance and correctness concerns)†
>> • Any provision to support JAAS LoginContext (due to tight integration
>> with Subject)
>> • Any provision to maintain API compatibility with PicketBox (this is
>> not presently an established requirement and thus would add undue
>> implementation complexity, if it is indeed even possible)
>> • Replicate Kerberos-style ticket-based credential forwarding (just use
>> Kerberos in this case)
>>
>> † You may note that this is in contrast with a previous post to the AS 7
>> list [9] in which I advocated simply unifying on Subject. Subsequent
>> research uncovered a number of performance and implementation weaknesses
>> in JAAS that have since convinced the security team that we should no
>> longer be relying on it.
>
>
> Is there any hope to have in Elytron a way to be able to integrate third part
products supporting user identity propagation with JAAS like Corba, IBM MQ … with
Wildfly?
Yes, however it may not be possible using one single integration
methodology. Experience has shown that every vendor uses JAAS in
different ways, so we would have to approach each item on a case-by-case
basis.