[jboss-as7-dev] Securing the Console
Jason T. Greene
jason.greene at redhat.com
Thu Jan 20 13:56:56 EST 2011
On 1/20/11 11:00 AM, Heiko Braun wrote:
>> Since JAAS is a SE API, you can use it without using servlet. Also,
>> the jdk http server provides an impl for basic and digest auth as well
>> as support for ssl (although these are trivial to implement anyway)
>
> Ok, thats good. I was wondering about TLS. Let's figure out how
> authentication should actually work.
> I think this will identify the requirements.
Right I agree with this approach, we need to identify the security
requirements, and potential designs.
I created a shell wiki page we can update with various content:
http://community.jboss.org/wiki/ManagementConsoleDesign
> I would suggest a separate thread as well.
Done.
To start off with for requirements:
- All of our domain API interfaces, will need user auth of some sort,
either per session or per request
- We have a PRD/ERD requirement to allow integration with custom
security infrastructure (ldap etc)
- TLS must be supported
- There is a PRD requirement to support multiple logins, and the ability
to manage them in the Console
- The ERD clarified that ACLS would be a JON feature above the console.
We could if we have time, support some form of basic permissions
--
Jason T. Greene
JBoss, a division of Red Hat
More information about the jboss-as7-dev
mailing list