[jboss-dev-forums] [Design of Security on JBoss] - Re: SecurityContext
anil.saldhana@jboss.com
do-not-reply at jboss.com
Fri Mar 23 22:53:52 EDT 2007
Moving on to the concept of JBossSubject an end result of authentication, we have many variations of Subjects to consider:
a) JAAS Subject.
b) SAML Subject
c) WS-Trust Security Token (that contains claims about a trusted identity like name etc).
d) XACML Subject
e) Custom subject.
Of these the structure of JAAS, SAML and XACML are well defined. WS-T security token is open-ended with scope for custom tokens.
I am thinking that JBossSubject should be a composition of these subjects , rather than an union of constituents of these individual subjects.
My Choice:
| public class JBossSubject
| {
| List<Object> theSubjects;
|
| public <T> void addSubject(T subject);
| }
|
A particular case I have in mind is when an authenticated subject has multiple identities (a jaas subject, saml subject, a security token etc) and the authorization layer can make a decision based on some configuration, in the presence of multiple subject types for a particular identity.
For the record, a ws-trust security token can be saml, x509, username/pwd or custom.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4031257#4031257
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4031257
More information about the jboss-dev-forums
mailing list