[jboss-as7-dev] security/web sucks, what can we change?
David M. Lloyd
david.lloyd at redhat.com
Fri Jun 17 11:37:06 EDT 2011
On 06/17/2011 09:56 AM, Bill Burke wrote:
> I'm not happy with the state of our security abstractions.
Me either.
[...]
> So what do I want to do?
>
> Step 1:
>
> - Add ability to plug in a Security Domain type. Currently its all
> hardcoded. I don't see any mechanism in AS7 at the moment for plugging
> in IoC like information. I don't see mechanism for discovering config
> files or a place to put config files in AS7. This isn't a bad thing. I
> think what we could do is allow people to add a
> "org.jboss.security.DomainMapping" file to META-INF/services directory
> of any jar. When the Security Subsystem starts up it will search for
> all files of that name and load up a mapping file.
I'm not sure I'm following along with this.
> - Add ability to define JBossWeb Authenticators. Tomcat/JBossWeb
> already has this ability inheritently built in, but unexposed. Similar
> to DomainMapping, we'll have a org.jboss.web.Authenticators file that
> has a class/auth-method mapping.
Definitely, I think this is a great idea. I'm not so sure about using a
"META-INF/services" file for anything other than ServiceLoader-style
class discovery though, but I'm not 100% sure that this is what you're
saying.
> I am already prototyping this stuff in my git branch. I'm pretty sure
> it can require zero changes to JBossWeb which should avoid getting Remy
> all flustered.
Always a plus :)
> Step 2:
> I'd like to gut JBossWeb security and Picketbox security. Redesign the
> whole damn thing. Its just hacked and band-aided together. Its stuck
> in ancient and obsolete user/password land needs to be more flexible.
Yeah for Remoting at least (and for other future stuff, like SSH, SFTP,
etc.) I'm looking at supporting public key (non-certificate)
authentication, and I'm a bit at a loss as to how I might reconcile this
with the username/password school of thought.
I don't have a lot of time now to expound on this but I think it's a
good initiative and I'd like to see where it goes.
--
- DML
More information about the jboss-as7-dev
mailing list