[jboss-jira] [JBoss JIRA] (WFLY-1067) Integrate JGroups with core AS security infrastructure

David Lloyd (JIRA) issues at jboss.org
Thu Oct 2 12:01:07 EDT 2014 

    [ https://issues.jboss.org/browse/WFLY-1067?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13008207#comment-13008207 ] 

David Lloyd commented on WFLY-1067:
-----------------------------------

This is a good writeup, thanks Richard.

I have a few additional comments:

* While usage of SASL without integrity/encryption support might be considered to be "not fully utilizing SASL", I'd like to point out that recent SASL mechanisms such as SCRAM no longer recommend or support encryption in any case, and recommend other options (SSL, channel binding) which provide other, more secure, encryption and integrity mechanisms.  Instead modern SASL mechanisms focus on securing the authentication process itself, which (it seems to me) is still well-aligned with the point of using SASL in JGroups, which is to simply cover authentication in a secure, standards-adherent manner.  So I recommend not worrying too much about QOP when you're considering the usage of SASL for new applications.
* The Elytron SPI is intended to be able to integrate at a lower level with authentication processes like this one.  This means two things:
*# If you elect to use SASL, that integration should be particularly seamless and simple.
*# If you continue to support AUTH, you should have a much easier time acquiring and using credentials.
* In the short term, if you want to make this work *now*, I'd say you should do whatever you have to do to make it work sensibly.  No hack is too ugly. :)
* In the medium to long term, please do communicate with the Elytron developers to ensure that any special requirements you have will be met.

> Integrate JGroups with core AS security infrastructure
> ------------------------------------------------------
>
>                 Key: WFLY-1067
>                 URL: https://issues.jboss.org/browse/WFLY-1067
>             Project: WildFly
>          Issue Type: Feature Request
>          Components: Clustering, Security
>            Reporter: Brian Stansberry
>            Assignee: Richard Achmatowicz
>
> Container task for better integrating JGroups security with overall AS security. The basic concept is the various security aware aspects of JGroups will expose an SPI, and the AS can create implementations of those SPIs that integrate with the AS security realms. The AS JGroups subsystem will inject the implementation into the JGroups runtime components.
> Subtasks are for the various aspects. These can be done separately but a common overall design should be created to ensure a consistent approach is taken.



--
This message was sent by Atlassian JIRA
(v6.3.1#6329)

More information about the jboss-jira mailing list