[jboss-as7-dev] On security context and propagation

Radoslaw Rodak rodakr at gmx.ch
Mon Mar 4 17:00:57 EST 2013


Hi 

I can unterstand nobody likes JAAS , include me.
But java.security.Principal ,  javax.security.auth.Subject are CORE JAAS Classes/Interfaces.
( http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html )
So I don't see how to use them without JAAS.

When I look at the choice in Java 
http://docs.oracle.com/javase/6/docs/technotes/guides/security/overview/jsoverview.html ( Bootom Appendix A )
I can't see, what else can be used for multithreaded jvm.

For me natural choice for security propagation will be GSS-API, which can be used with our without JAAS.
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/tutorials/index.html
In Addition you gets SSO for free if used with KRB5.

Example  HTTP SPNEGO. You get Authentication/Authorization and safe connection without  implementing krb5 yourself.
You Delegate Ticket validation to Java build in  JAAS Login Modul com.sun.security.auth.module.Krb5LoginModule …
or you tell  Java just to use Red Hat GSS native Libs, when Red Hat Server is allready configured for Kerberos.
One of many reasons I like AS7 & Red Hat Linux and especial Picketbox & Picketlink.

There is  lot cool stuff build in in Java 6 and higher… I would take it.
If you don't like it, throw it away, take Interface and make  better implementation yourself later… if you will find time for it :-)

Radek















More information about the jboss-as7-dev mailing list