[wildfly-dev] New security sub-project: WildFly Elytron

David M. Lloyd david.lloyd at redhat.com
Wed Jun 4 16:34:17 EDT 2014


On 06/04/2014 02:40 PM, Radoslaw Rodak wrote:
>> The following are presently non- or anti-goals:
>>
>> • Any provision to support JAAS Subject as a security context (due to
>> performance and correctness concerns)†
>> • Any provision to support JAAS LoginContext (due to tight integration
>> with Subject)
>> • Any provision to maintain API compatibility with PicketBox (this is
>> not presently an established requirement and thus would add undue
>> implementation complexity, if it is indeed even possible)
>> • Replicate Kerberos-style ticket-based credential forwarding (just use
>> Kerberos in this case)
>>
>> † You may note that this is in contrast with a previous post to the AS 7
>> list [9] in which I advocated simply unifying on Subject.  Subsequent
>> research uncovered a number of performance and implementation weaknesses
>> in JAAS that have since convinced the security team that we should no
>> longer be relying on it.
>
>
> Is there any hope to have in Elytron a way to be able to integrate third part products supporting user identity propagation with JAAS like Corba, IBM MQ … with Wildfly?

Yes, however it may not be possible using one single integration 
methodology.  Experience has shown that every vendor uses JAAS in 
different ways, so we would have to approach each item on a case-by-case 
basis.


-- 
- DML


More information about the wildfly-dev mailing list