[jboss-as7-dev] security/web sucks, what can we change?
Anil Saldhana
Anil.Saldhana at redhat.com
Fri Jun 17 12:27:00 EDT 2011
http://community.jboss.org/wiki/JBossAS7SecurityDomainModel
The last section shows how to add an authenticator as a valve (config,
courtesy Darran). Once you install
your authenticator, you have some control.
On 06/17/2011 11:20 AM, Bill Burke wrote:
>
> On 6/17/11 11:37 AM, David M. Lloyd wrote:
>> On 06/17/2011 09:56 AM, Bill Burke wrote:
>>> I'm not happy with the state of our security abstractions.
>> Me either.
>>
>> [...]
>>> So what do I want to do?
>>>
>>> Step 1:
>>>
>>> - Add ability to plug in a Security Domain type. Currently its all
>>> hardcoded. I don't see any mechanism in AS7 at the moment for plugging
>>> in IoC like information. I don't see mechanism for discovering config
>>> files or a place to put config files in AS7. This isn't a bad thing. I
>>> think what we could do is allow people to add a
>>> "org.jboss.security.DomainMapping" file to META-INF/services directory
>>> of any jar. When the Security Subsystem starts up it will search for
>>> all files of that name and load up a mapping file.
>> I'm not sure I'm following along with this.
>>
> Security domains don't use a classname anymore. They use a code in the
> domain.xml file. Right now that code to classname mapping is hard
> coded. I'm suggesting a ServiceLoader-style class discovery that just
> maps code to classname.
>
>
>>> - Add ability to define JBossWeb Authenticators. Tomcat/JBossWeb
>>> already has this ability inheritently built in, but unexposed. Similar
>>> to DomainMapping, we'll have a org.jboss.web.Authenticators file that
>>> has a class/auth-method mapping.
>> Definitely, I think this is a great idea. I'm not so sure about using a
>> "META-INF/services" file for anything other than ServiceLoader-style
>> class discovery though, but I'm not 100% sure that this is what you're
>> saying.
>>
> How else could you plug in a code->classname map? I really liked the
> idea of keeping implementation details out of the domain.xml config.
>
>
>>> Step 2:
>>> I'd like to gut JBossWeb security and Picketbox security. Redesign the
>>> whole damn thing. Its just hacked and band-aided together. Its stuck
>>> in ancient and obsolete user/password land needs to be more flexible.
>> Yeah for Remoting at least (and for other future stuff, like SSH, SFTP,
>> etc.) I'm looking at supporting public key (non-certificate)
>> authentication, and I'm a bit at a loss as to how I might reconcile this
>> with the username/password school of thought.
>>
> I've done a lot of work lately with digital signatures + HTTP in
> Resteasy project. I'm implementing a signature-based approach to
> authentication and ran into a brick wall when trying to figure out how
> to integrate with AS7.
>
More information about the jboss-as7-dev
mailing list