[security-dev] Authorization constructs in PicketLink3
Pete Muir
pmuir at redhat.com
Fri May 3 08:44:30 EDT 2013
Do we have a list of the types of things that need restricting, and how we intend to restrict them (e.g. CDI beans, EJBs, JAX-RS endpoints, servlets…)
On 2 May 2013, at 17:38, Anil Saldhana <Anil.Saldhana at redhat.com> wrote:
> That is fine. Timo should be secured with PicketLink Core alone. Right
> now, authz classes are the missing bits.
>
> On 05/02/2013 10:56 AM, Pedro Igor Silva wrote:
>> I remember Shane saying that he is going to take a look at the permissions api, mainly after the latest changes to the idm/core apis.
>>
>> I can start looking at that too, if necessary. Maybe providing some test cases to see the gaps (also provide some tests for the authentication stuff).
>>
>> ----- Original Message -----
>> From: "Anil Saldhana" <Anil.Saldhana at redhat.com>
>> To: security-dev at lists.jboss.org
>> Sent: Thursday, May 2, 2013 12:31:26 PM
>> Subject: Re: [security-dev] Authorization constructs in PicketLink3
>>
>> Right Pete - I do mention in the thread. I was referring to users
>> wanting alternative authorization mechanisms such as
>> that driven by Drools (as in Seam2) and maybe XACML. :) Ideally, the
>> default authz mechanism by the rbac filter
>> should be the permissions module.
>>
>> On 05/02/2013 10:24 AM, Pete Muir wrote:
>>> Isn't this what the permissions module is for (API/SPI for authorisation)? I know it's not finished, but I think we have time to do that for 3.0…
>>>
>>> We then add things like the RBAC filter delegating to it.
>>>
>>> On 2 May 2013, at 16:21, Anil Saldhana <Anil.Saldhana at redhat.com> wrote:
>>>
>>>> That is what I meant by pluggable. But we need to be aware of
>>>> dependencies getting pulled into core. We
>>>> do not want a dependency on drools, for example, to use core. If users
>>>> want some particular authz stuff,
>>>> they should be able to pull in those dependencies.
>>>>
>>>> I do not know yet how to get that done. ;)
>>>>
>>>> On 05/02/2013 09:54 AM, Pedro Igor Silva wrote:
>>>>> Maybe something we started with PicketBox, using Drools for rule-based authz, pluggable authz managers, etc.
>>>>>
>>>>> JBoss Seam 2 also supports Drools for authorization ....
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "Anil Saldhana" <Anil.Saldhana at redhat.com>
>>>>> To: security-dev at lists.jboss.org
>>>>> Sent: Thursday, May 2, 2013 11:38:40 AM
>>>>> Subject: Re: [security-dev] Authorization constructs in PicketLink3
>>>>>
>>>>> We have to remember the permission model work using IDM.
>>>>>
>>>>> I wonder if this filter can use pluggable authorization mechanisms, then
>>>>> maybe the perfect start.
>>>>>
>>>>> On 05/02/2013 09:36 AM, Pedro Igor Silva wrote:
>>>>>> I was looking at the org.picketlink.authentication.web.AuthenticationFilter. This class resides on core-api and we did it given some input from AG for DIGEST and BASIC authentication.
>>>>>>
>>>>>> Wondering if the authz filter we did for TIMO does not fit in the same case.
>>>>>>
>>>>>> ----- Original Message -----
>>>>>> From: "Anil Saldhana" <Anil.Saldhana at redhat.com>
>>>>>> To: security-dev at lists.jboss.org
>>>>>> Sent: Tuesday, April 30, 2013 11:42:25 AM
>>>>>> Subject: [security-dev] Authorization constructs in PicketLink3
>>>>>>
>>>>>> Shane/Pedro - we should start discussing the constructs for
>>>>>> authorization in PL3. We have a few options on the table. We need to
>>>>>> figure out what we need such that for PL3 users, we have some options.
>>>>>> Lets use this thread to figure out the various options/strategies.
>>>>>>
>>>>>>
>>>>>>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
More information about the security-dev
mailing list