[security-dev] Authorization constructs in PicketLink3

Pedro Igor Silva psilva at redhat.com
Tue May 7 16:12:55 EDT 2013 

As I have replied before, maybe the same arguments used to put the DIGEST/BASIC authc filter into picketlink-api are also valid for the this filter.

We also need to think how the configuration would be, because we need to provide to the filter the URI patterns vs Roles mapping.

As @pmuir said, the web.xml init-params should be avoided. As an alternative, we can:

    - Provide a class like javax.ws.rs.core.Application where users can override some methods to provide additional security config (we can use that not only for authorization)      
    - Use a @Producer method to return a specific instance with the authz configuration.
    - Use a @Qualifier (or only some interface) in order to be able to inject a specific bean that implements an interface with some methods that can be used to obtain the configuration.

Makes sense ?

----- Original Message -----
From: "Anil Saldhana" <Anil.Saldhana at redhat.com>
To: security-dev at lists.jboss.org
Sent: Tuesday, May 7, 2013 4:40:50 PM
Subject: Re: [security-dev] Authorization constructs in PicketLink3

Any objections to adding the access control filters to the core module? 

On 05/02/2013 11:38 AM, Anil Saldhana wrote: 



That is fine.  Timo should be secured with PicketLink Core alone. Right 
now, authz classes are the missing bits.

On 05/02/2013 10:56 AM, Pedro Igor Silva wrote: 



> I remember Shane saying that he is going to take a look at the permissions api, mainly after the latest changes to the idm/core apis. > > I can start looking at that too, if necessary. Maybe providing some test cases to see the gaps (also provide some tests for the authentication stuff). > > ----- Original Message ----- > From: "Anil Saldhana" <Anil.Saldhana at redhat.com> > To: security-dev at lists.jboss.org > Sent: Thursday, May 2, 2013 12:31:26 PM > Subject: Re: [security-dev] Authorization constructs in PicketLink3 > > Right Pete - I do mention in the thread. I was referring to users > wanting alternative authorization mechanisms such as > that driven by Drools (as in Seam2) and maybe XACML. :) Ideally, the > default authz mechanism by the rbac filter > should be the permissions module. > > On 05/02/2013 10:24 AM, Pete Muir wrote: 



>> Isn't this what the permissions module is for (API/SPI for authorisation)? I know it's not finished, but I think we have time to do that for 3.0… >> >> We then add things like the RBAC filter delegating to it. >> >> On 2 May 2013, at 16:21, Anil Saldhana <Anil.Saldhana at redhat.com> wrote: >> 



>>> That is what I meant by pluggable. But we need to be aware of >>> dependencies getting pulled into core. We >>> do not want a dependency on drools, for example, to use core. If users >>> want some particular authz stuff, >>> they should be able to pull in those dependencies. >>> >>> I do not know yet how to get that done. ;) >>> >>> On 05/02/2013 09:54 AM, Pedro Igor Silva wrote: 



>>>> Maybe something we started with PicketBox, using Drools for rule-based authz, pluggable authz managers, etc. >>>> >>>> JBoss Seam 2 also supports Drools for authorization .... >>>> >>>> ----- Original Message ----- >>>> From: "Anil Saldhana" <Anil.Saldhana at redhat.com> >>>> To: security-dev at lists.jboss.org >>>> Sent: Thursday, May 2, 2013 11:38:40 AM >>>> Subject: Re: [security-dev] Authorization constructs in PicketLink3 >>>> >>>> We have to remember the permission model work using IDM. >>>> >>>> I wonder if this filter can use pluggable authorization mechanisms, then >>>> maybe the perfect start. >>>> >>>> On 05/02/2013 09:36 AM, Pedro Igor Silva wrote: 



>>>>> I was looking at the org.picketlink.authentication.web.AuthenticationFilter. This class resides on core-api and we did it given some input from AG for DIGEST and BASIC authentication. >>>>> >>>>> Wondering if the authz filter we did for TIMO does not fit in the same case. >>>>> >>>>> ----- Original Message ----- >>>>> From: "Anil Saldhana" <Anil.Saldhana at redhat.com> >>>>> To: security-dev at lists.jboss.org >>>>> Sent: Tuesday, April 30, 2013 11:42:25 AM >>>>> Subject: [security-dev] Authorization constructs in PicketLink3 >>>>> >>>>> Shane/Pedro - we should start discussing the constructs for >>>>> authorization in PL3.  We have a few options on the table. We need to >>>>> figure out what we need such that for PL3 users, we have some options. >>>>> Lets use this thread to figure out the various options/strategies. >>>>> >>>>> >>>>> 
_______________________________________________
security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev 


_______________________________________________
security-dev mailing list
security-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev

More information about the security-dev mailing list