[jboss-as7-dev] On security context and propagation
Radoslaw Rodak
rodakr at gmx.ch
Mon Mar 4 17:00:57 EST 2013
Hi
I can unterstand nobody likes JAAS , include me.
But java.security.Principal , javax.security.auth.Subject are CORE JAAS Classes/Interfaces.
( http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html )
So I don't see how to use them without JAAS.
When I look at the choice in Java
http://docs.oracle.com/javase/6/docs/technotes/guides/security/overview/jsoverview.html ( Bootom Appendix A )
I can't see, what else can be used for multithreaded jvm.
For me natural choice for security propagation will be GSS-API, which can be used with our without JAAS.
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/tutorials/index.html
In Addition you gets SSO for free if used with KRB5.
Example HTTP SPNEGO. You get Authentication/Authorization and safe connection without implementing krb5 yourself.
You Delegate Ticket validation to Java build in JAAS Login Modul com.sun.security.auth.module.Krb5LoginModule …
or you tell Java just to use Red Hat GSS native Libs, when Red Hat Server is allready configured for Kerberos.
One of many reasons I like AS7 & Red Hat Linux and especial Picketbox & Picketlink.
There is lot cool stuff build in in Java 6 and higher… I would take it.
If you don't like it, throw it away, take Interface and make better implementation yourself later… if you will find time for it :-)
Radek
More information about the jboss-as7-dev
mailing list