[jboss-jira] [JBoss JIRA] (WFLY-7259) Review elytron kerberos-security-factory resource

Martin Choma (JIRA) issues at jboss.org
Tue Oct 4 02:56:00 EDT 2016 

     [ https://issues.jboss.org/browse/WFLY-7259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Martin Choma moved JBEAP-6287 to WFLY-7259:
-------------------------------------------

              Project: WildFly  (was: JBoss Enterprise Application Platform)
                  Key: WFLY-7259  (was: JBEAP-6287)
             Workflow: GIT Pull Request workflow   (was: CDW with loose statuses v1)
          Component/s: Security
                           (was: Security)
    Affects Version/s: 11.0.0.Alpha1
                           (was: 7.1.0.DR6)


> Review elytron kerberos-security-factory resource
> -------------------------------------------------
>
>                 Key: WFLY-7259
>                 URL: https://issues.jboss.org/browse/WFLY-7259
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 11.0.0.Alpha1
>            Reporter: Martin Choma
>            Assignee: Darran Lofthouse
>
> * {{mechanism-oids}}
> 	** Minimal command for kerberos security factory creation is {code}/subsystem=elytron/kerberos-security-factory=kerberos:add(principal=mchoma, path=/path/to/keytab, mechanism-oids=[1.2.840.113554.1.2.2]){code}
> 	** I don't think it is user-friendly to require user to specify mechanism-oids. I think some reasonable default value should be used here. 
> * {{minimum-remaining-lifetime}}
> 	** please, specify units in documentation, e.g. seconds/minutes
> * {{relative-to}}
> 	** as just path reference can be used here, probably should be just "expressions-allowed" => false
> 	** In legacy settings it is documented better: "The name of another previously named path, or of one of the standard paths provided by the system. If 'relative-to' is provided, the value of the 'path' attribute is treated as relative to the path specified by this attribute."
> * {{server}}
> 	** I assume based on {{server}} attribute INITIATE_ONLY or ACCEPT_ONLY is configured on GSSCredential [1]. Wouldn't it be useful to have also possibility to set INITIATE_AND_ACCEPT? Couldn't that be useful for example in case of identity propagation.	
> * {{for-hosts}}
> 	** comparing to legacy security {{kerberosIdentityType}} I am missing for-hosts. Elytron won't provide such feature?



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list