[jboss-user] [Security & JAAS/JBoss] - Security Impl

[jplenhart]

Hi,

I am currently working on a new security implementation for my company - I am a committer on JBossESB and thought what better people to ask my questions than fellow JBoss brethren :-)

We are migrating to JBoss - but right now we are focused on security.  There is a good oppty for us to integrate JBoss security at this point.  My reqt. is for Delegated Authentication - we have currently have an application that performs Form based authentication, sets an encrypted cookie (with user and pass), this cookie on subsequent requests is decrypted by a webserver plug-in - which also sets the BASIC auth headers and forwards the request to our apps, then there is a JAAS plugin to take care of the application entitlements.  Woo!  Get all that.

Right now - we would like to keep all that but offer our own SAML Delegated Authentication (browser based identity federation) scheme.  We could just give our clients a different url for the saml assertions.

I have looked through the docs and I do not see anything directly dealing with browser identity federation through the use of SAML assertions.  Also, wondering if it would be possible to achieve this using non-JBoss appserver instances (keeping the BASIC auth) - I am thinking all requests would need to come through a marshalling framework to handle timeouts, etc... then populate the BASIC headers, forward the request - sound right?

Or am I way off base?

I would love to get this working as it would definitely be a high profile implementation.

Thanks for any help.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3970988#3970988

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3970988