[wildfly-dev] New security sub-project: WildFly Elytron

Darran Lofthouse darran.lofthouse at jboss.com
Thu Jun 5 06:04:38 EDT 2014



On 05/06/14 10:50, arjan tijms wrote:
> Hi,
>
> On Thu, Jun 5, 2014 at 10:50 AM, Darran Lofthouse
> <darran.lofthouse at jboss.com <mailto:darran.lofthouse at jboss.com>> wrote:
>
>     +1 Recently looking at how different JDBC driver vendors, and different
>     JDK vendors interpret the use of JAAS for Kerberos propagation there are
>     a lot of different interpretation of the same spec / APIs!!
>
>
> JAAS, and especially JAAS in Java EE, is not the universal standard you
> may think it is.

We have certainly come to that conclusion as well ;-)

My view on JAAS is that it is actually a client side API that pre-dated 
J2EE, the J2EE specs left security decisions down to the vendors and as 
at the time only simple security solutions were in demand (validate 
plain text username and password) JAAS was quickly adopted as this was 
something it could do.

It is then the demand for more complex solutions that have started to 
show the limitations of how much can be achieved with it.

> Some parts are interpreted differently, but other parts
> are just not specified. How to store a username and roles in the "bag of
> principles" that the Subject is, is particularly notorious. I wrote a
> post about that subject (no pun) here:
> http://arjan-tijms.blogspot.com/2014/02/jaas-in-java-ee-is-not-universal.html
>
> I wonder btw if any of the work done for this WildFly Elytron project
> (and previous work done for Picketbox/link) could possibly be used for
> feedback on how to improve the security APIs in Java EE itself. Has this
> ever been considered?
>
> Kind regards,
> Arjan


More information about the wildfly-dev mailing list