[jboss-as7-dev] security/web sucks, what can we change?

Bill Burke bburke at redhat.com
Fri Jun 17 12:07:15 EDT 2011



On 6/17/11 11:41 AM, Remy Maucherat wrote:
> On Fri, 2011-06-17 at 10:56 -0400, Bill Burke wrote:
>> - Add ability to define JBossWeb Authenticators.  Tomcat/JBossWeb
>> already has this ability inheritently built in, but unexposed.  Similar
>> to DomainMapping, we'll have a org.jboss.web.Authenticators file that
>> has a class/auth-method mapping.
>>
>> I am already prototyping this stuff in my git branch.  I'm pretty sure
>> it can require zero changes to JBossWeb which should avoid getting Remy
>> all flustered.
>
> You can already add any authenticator you like in your deployer (like if
> you see JBOSS-SECURITY-DOMAIN in web.xml, you can add
> JBossSecurityDomainAuthenticator), that's why you don't need to add some
> nasty config like the one which existed in AS 6 to do it.
>

Ah, you mean write a deployer, listen for JbossWebMetaData, and add what 
you need to JbossWebMetaData?  Won't JBossWeb see the 
"JBOSS-SECURITY-DOMAIN" auth-method and barf?

> As for the rest, as long as you accept that this is going to be
> incompatible with certain mechanisms, like SSO and the new Servlet 3
> hooks, then it's probably fine.
>

I'm interested in tighter integration with AS7 to make it as simple as 
possible to configure and administrate security.  We need hooks to write 
plugins that can be installed to the app server as a whole.  That allow 
us to define features that users can use without a lot of (or any) 
configuration.  If Servlet 3 is adequate abstraction, then so be it, but 
I thought it was a WAR deployment option?

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the jboss-as7-dev mailing list