[jboss-as7-dev] Security Subsystem Configuration Problems

[Jason T. Greene]

I have been looking into updating the security subsystem to comply 
properly with the management operation/interaction conventions, notably:

1. All attributes are writable
2. All operations and attributes have complete and correct descriptions
3. Resources are used in preference to custom attributes
4. Reasonable validation is performed

I also wanted to fix the plug point for custom login modules.

Digging into this though I found that this subsystem isn't complying 
with the overall Andiamo goal of only exposing things that the user 
cares about, and is safe to touch.

Pretty much all of the previously exiting wiring is exposed in the 
domain model. So like for example you can change the 
AuthenicationManager, TrustManager, CallBackHandler, AuditManager, and 
MappingManager.

Do we really want to expose these things? Are customers/users actually 
using these hooks? If so, is there better alternatives? As an example, 
if you replace the authentication manager, which is essentially the 
entire implementation of picketbox authentication, then the remaining 
configuration of the security domain might not even be handled properly.

I'd love to get this resolved, but in the meantime I am going to make 
this stuff be properties. That way we can at least avoid having to 
support it forever.

-- 
Jason T. Greene
JBoss AS Lead / EAP Platform Architect
JBoss, a division of Red Hat