[jboss-jira] [JBoss JIRA] (ELY-1021) GSS mechanisms OIDs into OidsUtil

Jan Kalina (JIRA) issues at jboss.org
Tue Mar 21 15:07:00 EDT 2017 

     [ https://issues.jboss.org/browse/ELY-1021?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Kalina moved JBEAP-9749 to ELY-1021:
----------------------------------------

              Project: WildFly Elytron  (was: JBoss Enterprise Application Platform)
                  Key: ELY-1021  (was: JBEAP-9749)
             Workflow: GIT Pull Request workflow   (was: CDW with loose statuses v1)
          Component/s: Utils
                           (was: Security)
                           (was: User Experience)
    Affects Version/s: 1.1.0.Beta32
                           (was: 7.1.0.DR6)


> GSS mechanisms OIDs into OidsUtil
> ---------------------------------
>
>                 Key: ELY-1021
>                 URL: https://issues.jboss.org/browse/ELY-1021
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: Utils
>    Affects Versions: 1.1.0.Beta32
>            Reporter: Jan Kalina
>            Assignee: Jan Kalina
>            Priority: Critical
>              Labels: eap71_beta, kerberos, management-model, model-review
>
> * {{mechanism-oids}}
> 	** Minimal command for kerberos security factory creation is {code}/subsystem=elytron/kerberos-security-factory=kerberos:add(principal=mchoma, path=/path/to/keytab, mechanism-oids=[1.2.840.113554.1.2.2]){code}
> 	** I don't think it is user-friendly to require user to specify mechanism-oids. I think some reasonable default value should be used here. 
> * {{minimum-remaining-lifetime}}
> 	** please, specify units in documentation, e.g. seconds/minutes
> * {{relative-to}}
> 	** as just path reference can be used here, probably should be just "expressions-allowed" => false
> 	** In legacy settings it is documented better: "The name of another previously named path, or of one of the standard paths provided by the system. If 'relative-to' is provided, the value of the 'path' attribute is treated as relative to the path specified by this attribute."
> * {{server}}
> 	** I assume based on {{server}} attribute INITIATE_ONLY or ACCEPT_ONLY is configured on GSSCredential [1]. Wouldn't it be useful to have also possibility to set INITIATE_AND_ACCEPT? Couldn't that be useful for example in case of identity propagation.	
> * -{{for-hosts}}-
> 	** -comparing to legacy security {{kerberosIdentityType}} I am missing for-hosts. Elytron won't provide such feature?-



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list