[security-dev] Authorization constructs in PicketLink3

Anil Saldhana Anil.Saldhana at redhat.com
Tue May 7 18:23:44 EDT 2013


Also I feel we should provide pluggable means for:
a) IDM based permission model (Shane)
b) Drools based Rules Open Ended Authorization
c) XACML based Open Ended Authorization (Anil)


On 05/07/2013 04:30 PM, Anil Saldhana wrote:
> I am supportive of your ideas, Pedro.
>
> Unlike authentication, we need to remember that authorization is 
> pretty domain specific. There is no magic bullet for 
> rules/permissions. Ideally, as discussed before we should provide the 
> opportunity to plug in custom authorization schemes.
>
> On 05/07/2013 03:12 PM, Pedro Igor Silva wrote:
>> As I have replied before, maybe the same arguments used to put the 
>> DIGEST/BASIC authc filter into picketlink-api are also valid for the 
>> this filter.
>>
>> We also need to think how the configuration would be, because we need 
>> to provide to the filter the URI patterns vs Roles mapping.
>>
>> As @pmuir said, the web.xml init-params should be avoided. As an 
>> alternative, we can:
>>
>>      - Provide a class like javax.ws.rs.core.Application where users 
>> can override some methods to provide additional security config (we 
>> can use that not only for authorization)
>>      - Use a @Producer method to return a specific instance with the 
>> authz configuration.
>>      - Use a @Qualifier (or only some interface) in order to be able 
>> to inject a specific bean that implements an interface with some 
>> methods that can be used to obtain the configuration.
>>
>> Makes sense ?
>>
>> ----- Original Message -----
>> From: "Anil Saldhana" <Anil.Saldhana at redhat.com>
>> To: security-dev at lists.jboss.org
>> Sent: Tuesday, May 7, 2013 4:40:50 PM
>> Subject: Re: [security-dev] Authorization constructs in PicketLink3
>>
>> Any objections to adding the access control filters to the core module?
>>
>> On 05/02/2013 11:38 AM, Anil Saldhana wrote:
>>
>>
>>
>> That is fine.  Timo should be secured with PicketLink Core alone. Right
>> now, authz classes are the missing bits.
>>
>> On 05/02/2013 10:56 AM, Pedro Igor Silva wrote:
>>
>>
>>
>>> I remember Shane saying that he is going to take a look at the 
>>> permissions api, mainly after the latest changes to the idm/core 
>>> apis. > > I can start looking at that too, if necessary. Maybe 
>>> providing some test cases to see the gaps (also provide some tests 
>>> for the authentication stuff). > > ----- Original Message ----- > 
>>> From: "Anil Saldhana" <Anil.Saldhana at redhat.com> > To: 
>>> security-dev at lists.jboss.org > Sent: Thursday, May 2, 2013 12:31:26 
>>> PM > Subject: Re: [security-dev] Authorization constructs in 
>>> PicketLink3 > > Right Pete - I do mention in the thread. I was 
>>> referring to users > wanting alternative authorization mechanisms 
>>> such as > that driven by Drools (as in Seam2) and maybe XACML. :) 
>>> Ideally, the > default authz mechanism by the rbac filter > should 
>>> be the permissions module. > > On 05/02/2013 10:24 AM, Pete Muir wrote:
>>
>>
>>>> Isn't this what the permissions module is for (API/SPI for 
>>>> authorisation)? I know it's not finished, but I think we have time 
>>>> to do that for 3.0… >> >> We then add things like the RBAC filter 
>>>> delegating to it. >> >> On 2 May 2013, at 16:21, Anil Saldhana 
>>>> <Anil.Saldhana at redhat.com> wrote: >>
>>
>>
>>>>> That is what I meant by pluggable. But we need to be aware of >>> 
>>>>> dependencies getting pulled into core. We >>> do not want a 
>>>>> dependency on drools, for example, to use core. If users >>> want 
>>>>> some particular authz stuff, >>> they should be able to pull in 
>>>>> those dependencies. >>> >>> I do not know yet how to get that 
>>>>> done. ;) >>> >>> On 05/02/2013 09:54 AM, Pedro Igor Silva wrote:
>>
>>
>>>>>> Maybe something we started with PicketBox, using Drools for 
>>>>>> rule-based authz, pluggable authz managers, etc. >>>> >>>> JBoss 
>>>>>> Seam 2 also supports Drools for authorization .... >>>> >>>> 
>>>>>> ----- Original Message ----- >>>> From: "Anil Saldhana" 
>>>>>> <Anil.Saldhana at redhat.com> >>>> To: security-dev at lists.jboss.org 
>>>>>> >>>> Sent: Thursday, May 2, 2013 11:38:40 AM >>>> Subject: Re: 
>>>>>> [security-dev] Authorization constructs in PicketLink3 >>>> >>>> 
>>>>>> We have to remember the permission model work using IDM. >>>> 
>>>>>> >>>> I wonder if this filter can use pluggable authorization 
>>>>>> mechanisms, then >>>> maybe the perfect start. >>>> >>>> On 
>>>>>> 05/02/2013 09:36 AM, Pedro Igor Silva wrote:
>>
>>
>>>>>>> I was looking at the 
>>>>>>> org.picketlink.authentication.web.AuthenticationFilter. This 
>>>>>>> class resides on core-api and we did it given some input from AG 
>>>>>>> for DIGEST and BASIC authentication. >>>>> >>>>> Wondering if 
>>>>>>> the authz filter we did for TIMO does not fit in the same case. 
>>>>>>> >>>>> >>>>> ----- Original Message ----- >>>>> From: "Anil 
>>>>>>> Saldhana" <Anil.Saldhana at redhat.com> >>>>> To: 
>>>>>>> security-dev at lists.jboss.org >>>>> Sent: Tuesday, April 30, 2013 
>>>>>>> 11:42:25 AM >>>>> Subject: [security-dev] Authorization 
>>>>>>> constructs in PicketLink3 >>>>> >>>>> Shane/Pedro - we should 
>>>>>>> start discussing the constructs for >>>>> authorization in PL3.  
>>>>>>> We have a few options on the table. We need to >>>>> figure out 
>>>>>>> what we need such that for PL3 users, we have some options. 
>>>>>>> >>>>> Lets use this thread to figure out the various 
>>>>>>> options/strategies. >>>>> >>>>> >>>>>
>>>>>>>



More information about the security-dev mailing list