[Jboss-dev-forums] [Design of Security on JBoss] - Re: Generalizing the JACC service

[<sco...@jb...>]

"piratepete" wrote : Scott:
  | 
  | I've been looking at this for personal reasons (lol, trying to convince Ivelin to hire me) but I wrote an article for TSS on SAML and my desire is to create a SAML server and complete administration app for JBoss.
  | 
  | I like that SAML could be used to communicate these "identity" things, but my thoughts are to use e.g. HSQL to house the identity data, provide an administration thereof, and use SAML with JAAS to do multi-domain authenticates and authorization for businesses.
  | 
  | I have been thinking of using combination JAAS with a SAML identity service but if extending JAAS across contexts is possible, that would be better.  In any event, "descripted" security for multi-domain identity management would be sweet.  It's possible I think.
  | 
  | I recently took a job to lead a large project using BEA WebLogic servers but I would like solve this one (extended JAAS, SAML, etc. multi-domain identity management) using JBoss using only J2EE (complete non-proprietary).  I'll keep posting here, since Ivelin pointed me in the right direction.  My article on TSS is here http://www.theserverside.com/articles/article.tss?l=SAML  Take a look, it's somewhat mousetrap but I understand what the problem is, I just haven't found the exact solution yet.
  | 
  | piratepete aka (David Whitehurst)

The problem today is that identity today, and even authentication is way too underspecified to have any truly portable security solution in J2EE(Java EE now) servers. Without support of something like the JSR-196 authentication contract there will be nontrivial server specific integration, and security scenarios that don't map well because they are underspecified in the specs.


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3894506#3894506

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3894506