[jboss-as7-dev] security/web sucks, what can we change?
Bill Burke
bburke at redhat.com
Fri Jun 17 12:20:18 EDT 2011
On 6/17/11 11:37 AM, David M. Lloyd wrote:
> On 06/17/2011 09:56 AM, Bill Burke wrote:
>> I'm not happy with the state of our security abstractions.
>
> Me either.
>
> [...]
>> So what do I want to do?
>>
>> Step 1:
>>
>> - Add ability to plug in a Security Domain type. Currently its all
>> hardcoded. I don't see any mechanism in AS7 at the moment for plugging
>> in IoC like information. I don't see mechanism for discovering config
>> files or a place to put config files in AS7. This isn't a bad thing. I
>> think what we could do is allow people to add a
>> "org.jboss.security.DomainMapping" file to META-INF/services directory
>> of any jar. When the Security Subsystem starts up it will search for
>> all files of that name and load up a mapping file.
>
> I'm not sure I'm following along with this.
>
Security domains don't use a classname anymore. They use a code in the
domain.xml file. Right now that code to classname mapping is hard
coded. I'm suggesting a ServiceLoader-style class discovery that just
maps code to classname.
>> - Add ability to define JBossWeb Authenticators. Tomcat/JBossWeb
>> already has this ability inheritently built in, but unexposed. Similar
>> to DomainMapping, we'll have a org.jboss.web.Authenticators file that
>> has a class/auth-method mapping.
>
> Definitely, I think this is a great idea. I'm not so sure about using a
> "META-INF/services" file for anything other than ServiceLoader-style
> class discovery though, but I'm not 100% sure that this is what you're
> saying.
>
How else could you plug in a code->classname map? I really liked the
idea of keeping implementation details out of the domain.xml config.
>> Step 2:
>> I'd like to gut JBossWeb security and Picketbox security. Redesign the
>> whole damn thing. Its just hacked and band-aided together. Its stuck
>> in ancient and obsolete user/password land needs to be more flexible.
>
> Yeah for Remoting at least (and for other future stuff, like SSH, SFTP,
> etc.) I'm looking at supporting public key (non-certificate)
> authentication, and I'm a bit at a loss as to how I might reconcile this
> with the username/password school of thought.
>
I've done a lot of work lately with digital signatures + HTTP in
Resteasy project. I'm implementing a signature-based approach to
authentication and ran into a brick wall when trying to figure out how
to integrate with AS7.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the jboss-as7-dev
mailing list