[jboss-jira] [JBoss JIRA] (WFCORE-4485) Support for multiple security realms - Distributed Identities

Carl Walker (Jira) issues at jboss.org
Fri Jan 24 11:21:14 EST 2020 

    [ https://issues.redhat.com/browse/WFCORE-4485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13956348#comment-13956348 ] 

Carl Walker commented on WFCORE-4485:
-------------------------------------

I have two use cases.  In both cases, authentication and authorization info is kept in multiple places.  (This isn't the "authenticate here / authorize there" scenario supported with aggregate.)

1) End users and admins credentials are located in different datastores (tables) but access the same resources.  End users hit the first query.  If that passes, they're authenticated and authorized. Admins fail on the first query, but succeed on the second.   Business logic keeps the usernames unique across both stores.

2) Customer-maintained Active Directory and RDBMS-oriented "system accounts".  Authentication is done against Active Directory for end users who have an identity in the enterprise system.  System accounts will fail the AD check but will be picked up in a second RDBMS module.


> Support for multiple security realms - Distributed Identities
> -------------------------------------------------------------
>
>                 Key: WFCORE-4485
>                 URL: https://issues.redhat.com/browse/WFCORE-4485
>             Project: WildFly Core
>          Issue Type: Feature Request
>          Components: Security
>            Reporter: Farah Juma
>            Priority: Major
>              Labels: CD17-Deferred, EAP-CD19, Previous_RFE
>             Fix For: 11.0.0.Beta8
>
>
> By stacking LoginModules it was possible using PicketBox to attempt to authenticate using one remote store and if that failed try the next store in the list.
> This RFE is to consider the use case where identities could be located across multiple stores and how they are aggregated together.
> Additionally this use case should consider how the authorization information could be loaded from multiple sources and merged.
> This RFE is not about fail over in the event of a realm being unavailable although it may be related.
> This RFE is created as a result of comparing the differences between the PicketBox JAAS architecture and the Elytron architecture so I would not recommend this proceeds without some real world use cases identified.



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list