[wildfly-dev] New security sub-project: WildFly Elytron
Darran Lofthouse
darran.lofthouse at jboss.com
Thu Jun 5 04:50:16 EDT 2014
+1 Recently looking at how different JDBC driver vendors, and different
JDK vendors interpret the use of JAAS for Kerberos propagation there are
a lot of different interpretation of the same spec / APIs!!
On 04/06/14 21:34, David M. Lloyd wrote:
> On 06/04/2014 02:40 PM, Radoslaw Rodak wrote:
>>> The following are presently non- or anti-goals:
>>>
>>> • Any provision to support JAAS Subject as a security context (due to
>>> performance and correctness concerns)†
>>> • Any provision to support JAAS LoginContext (due to tight integration
>>> with Subject)
>>> • Any provision to maintain API compatibility with PicketBox (this is
>>> not presently an established requirement and thus would add undue
>>> implementation complexity, if it is indeed even possible)
>>> • Replicate Kerberos-style ticket-based credential forwarding (just use
>>> Kerberos in this case)
>>>
>>> † You may note that this is in contrast with a previous post to the AS 7
>>> list [9] in which I advocated simply unifying on Subject. Subsequent
>>> research uncovered a number of performance and implementation weaknesses
>>> in JAAS that have since convinced the security team that we should no
>>> longer be relying on it.
>>
>>
>> Is there any hope to have in Elytron a way to be able to integrate third part products supporting user identity propagation with JAAS like Corba, IBM MQ … with Wildfly?
>
> Yes, however it may not be possible using one single integration
> methodology. Experience has shown that every vendor uses JAAS in
> different ways, so we would have to approach each item on a case-by-case
> basis.
>
>
More information about the wildfly-dev
mailing list