[undertow-dev] Undertow Security: PicketBox5
Anil Saldhana
Anil.Saldhana at redhat.com
Tue Nov 13 19:00:30 EST 2012
On 11/13/2012 05:44 PM, Anil Saldhana wrote:
> On 11/13/2012 04:40 PM, David M. Lloyd wrote:
>> On 11/13/2012 04:32 PM, Anil Saldhana wrote:
>>> Hi All,
>>> I was not aware of this mailing list until today.
>>>
>>> 3-4 months ago, we rewrote PicketBox5 to be a generic security framework.
>>> https://docs.jboss.org/author/display/SECURITY/Java+Application+Security
>>> https://github.com/picketbox/picketbox
>>>
>>> We neither have JAAS stuff nor Servlet Security
>>> (FORM,DIGEST,CLIENT-CERT,BASIC) tied to Tomcat Authenticators.
>>> I am wondering if there is a scope for using PicketBox5 with Undertow.
>>> Also there is no tie in into any containers in
>>> PicketBox5.
>> In a word: why?
>>
>> What does PicketBox provide that Undertow needs? I'd be highly
>> skeptical unless it's clear what requirements were fed *into* PicketBox
>> to begin with. We know what we need; the burden of justification lies
>> on you in this case.
> At a bare minimum from Undertow perspective, PicketBox5 has implemented
> the Servlet security mechanisms in a container independent fashion .
> You can take a look at that. If Undertow needs to implement servlet
> security mechanism, we can provide you a PBox5 tiny library to
> integrate into undertow or you will have to code it yourself, unless you
> have already done that. :)
There is one use case that Mike Brock had mentioned a month back that we
want to validate with PBox5.
The issue on non-http session management for calls coming in from
different paths (web sockets, http etc)
and provide step-up/step-down authentication/authorization. I need to
check with Mike on this from Errai perspective. :)
>>> The test cases that you may want to review:
>>> https://github.com/picketbox/picketbox/tree/master/http/src/test/java/org/picketbox/test/authentication/http
>>>
>>> Maybe Stefan from our side can help out. I would guess we can produce a
>>> prototype branch with undertow + PBox5.
We are willing to do the prototype for you and you can tell us you like
it or not. :)
>>> Regards,
>>> Anil
>>>
>>> PS: Feedback from *Jason Greene*: I'll let Stuart and Darran comment,
>>> but my thinking is that we want to greatly limit the dependencies of
>>> standalone undertow. Integration in AS is a different story though. I
>>> would imagine this means some kind of SPI between undertow and the
>>> container.
>>>
>>>
More information about the undertow-dev
mailing list