On 05/06/14 10:50, arjan tijms wrote:
On Thu, Jun 5, 2014 at 10:50 AM, Darran Lofthouse
<darran.lofthouse(a)jboss.com <mailto:email@example.com>> wrote:
+1 Recently looking at how different JDBC driver vendors, and different
JDK vendors interpret the use of JAAS for Kerberos propagation there are
a lot of different interpretation of the same spec / APIs!!
JAAS, and especially JAAS in Java EE, is not the universal standard you
may think it is.
We have certainly come to that conclusion as well ;-)
My view on JAAS is that it is actually a client side API that pre-dated
J2EE, the J2EE specs left security decisions down to the vendors and as
at the time only simple security solutions were in demand (validate
plain text username and password) JAAS was quickly adopted as this was
something it could do.
It is then the demand for more complex solutions that have started to
show the limitations of how much can be achieved with it.
Some parts are interpreted differently, but other parts
are just not specified. How to store a username and roles in the "bag of
principles" that the Subject is, is particularly notorious. I wrote a
post about that subject (no pun) here:
I wonder btw if any of the work done for this WildFly Elytron project
(and previous work done for Picketbox/link) could possibly be used for
feedback on how to improve the security APIs in Java EE itself. Has this
ever been considered?