[jboss-as7-dev] Web Application - Security Mechanism Selection

arjan.tijms arjan.tijms at gmail.com
Tue Jul 30 17:56:29 EDT 2013


Darran Lofthouse wrote
> Users are already used to providing a lot of their configuration within 
> the deployments - maybe even including PicketLink definitions where they 
> do not want to use definitions defined within the AS config. 

One extra case that I don't think was mentioned yet; with JASPIC it's also
possible to do a programmatic registration and configuration of an auth
module. See the first source listing at
http://arjan-tijms.blogspot.nl/2012/11/implementing-container-authentication.html
for an example of doing this in an ServletContextListener.

The support for this was even slightly improved for Java EE 7 (see
http://arjan-tijms.blogspot.nl/2013/04/whats-new-in-java-ee-7s-authentication.html).


>> JAAS can be one of the authentication mechanisms.  Ideally we should
>> look at providing an SPI. I presume we will have an SPI.
> 
> To clarify some of the terminology I am using here when I talk about a 
> mechanism I am talking about the part that is sending and parsing the 
> HTTP messages for challenges and responses.

Isn't that exactly what the JASPIC SPI (more specifically the Servlet
Profile of it) in Java EE is already for? Would it perhaps be an option to
use that one directly?



--
View this message in context: http://jboss-as7-development.1055759.n5.nabble.com/Web-Application-Security-Mechanism-Selection-tp5711528p5712455.html
Sent from the JBoss AS7 Development mailing list archive at Nabble.com.


More information about the jboss-as7-dev mailing list