[jboss-as7-dev] Web Security - Performance Considerations
Anil Saldhana
Anil.Saldhana at redhat.com
Thu Oct 20 14:58:33 EDT 2011
Hi Remy,
I just wanted to pick your brain on the following:
Web Authorization:
Previously, the JBoss Authorization stack was run by default for access
control unless the user configured not to do so. In JBoss AS7.1, we
have this disabled until the user configures the following in jboss-web.xml
<use-jboss-authorization>true</use-jboss-authorization>
Web Audit:
I had a brief chat with JFClere last week and decided on the following:
JBossWebRealm will send audit events to the audit framework unless the
following setting is in jboss-web.xml
<disable-audit>true</disable-audit>
Audit is the feature that can add miniscule overhead. So if you want to
turn it off the audit by default, you have to change JBossWebRealm to
have: boolean disableAudit = true rather than the current "false". In
that case, we will require the users to configure jboss-web.xml if they
want audit for that particular webapp.
In think the authorization piece does not add any overhead. I just want
to check with you on the audit part.
Regards,
Anil
More information about the jboss-as7-dev
mailing list