[jboss-dev-forums] [PicketBox Development] - AS7: Web Security - JBossWebRealm

Anil Saldhana do-not-reply at jboss.com
Sun Jan 9 11:44:27 EST 2011 

Anil Saldhana [http://community.jboss.org/people/anil.saldhana%40jboss.com] created the discussion

"AS7: Web Security - JBossWebRealm"

To view the discussion, visit: http://community.jboss.org/message/579656#579656

--------------------------------------------------------------
I want to dedicate this thread to the web layer security in AS7.

For Web applications to utilize JACC or XACML authorization, we need the web authorization checks to go through the JBoss Security authorization stack. This is not needed for majority of applications (which just rely on what is provided by spec/RealmBase authorization checks).

I think we should make the access checks to go through our authorization stack only when desired.


JBossWebRealm:-
 
protected boolean useAuthorizationStack = false; //Default behavior


This property needs to be used based on the domain model settings.  Additionally, the realm should be customizable based on individual web apps (via domain model).

Additionally, we just need one security valve to incorprate what the JaccContextValve, SecurityAssociationValve etc did in AS5/6 in a very +minimalistic+ way.  Certainly JSR-196 is something to keep in mind here.

*Things to note:*
1. Minimize the access control checks.
2. Realm settings can be available at per web app level.
3. Ability to incorporate behavior at web app level (such as SSO) based on domain model settings. It should be possible to enable SAMLv2 SSO at the web app level using the default IDP that *can* be shipped with AS7.
--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/579656#579656]

Start a new discussion in PicketBox Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2088]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20110109/b74c0365/attachment.html

More information about the jboss-dev-forums mailing list