[Jboss-dev-forums] [Design of Security on JBoss] - Re: Generalizing the JACC service

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

If I may add a few possible requirements on the coupling between authentication and authorization (and related):

1) Definitely allow a doAs model on an EJB client application. This should allow a singel application to authenticate multiple users (if needed) and decide which user to use when and for which operations (quite useful in multi-tiers environments).

2) But doAs model can sometime be painful to program with (delegate class needed for all actions). There should be a way to also set the "current subject" for the current thread or for all threads (or groups or all JVM) to make single-user application easy to write.

3) Being able to configure the server so java security is actually enforced (all actions executed on the server side are done within a doAs block). This will allow java security policies to be defined on the server side if needed.

4) A tighter integration between the client JAAS login modules and the server ones will be nice:
  - Calling LoginContext.login on the client should go through the client side JAAS modules, then subject is sent to the server and server side JAAS modules are then executed.
  - Any custom principal (or credential or others) added to the Subject during client side authentication should be available in the Subject provided to the server side JAAS modules.
  - Any custom principal (or credential or others) added to the Subject during server side authentication should be available in the Subject on the client side after authentication process is finished. May be a configurable mechansim to decide what is "sent back" or not will be nice as well.

5) Probably linked to point 3) above, being able to retrieve the current subject in any EJB component code (like within a session bean operation).

All these requirements have one goal in mind: making authentication/authorization more flexible and "easily" customizable.
At least these are the kind of things I would have loved to see in one of my recent project :-)

I think similar flexibility should also be provided through the web container. My understanding in this area is not as good as on the pure EJB client, so it is harder for me to define some precise requirements, but some of the ideas are as follow:

1) Being able to get the current Subject in servlet code, including any custom principals (or others) that have been added to it.

2) Some FORM authentication extensions where extra form fields (or even HTTP headers) can be used for the authentication process (can be accessed in the JAAS login module). Something that will allow similar custom authentications that can be done with custom subject principals sent from the client.

I also have a few more ideas that I need to formalize a little better arround SSO capabilities.
Basically, with some of the JDK provided login modules (NTSystem, Kerberos and Unix), it should be possible to support SSO from an EJB client without too much pain. What I mean by SSO is being able to propagate the id from the current user of the client machine (Unix or windows user id) without having to ask the user to provide user name and password again (he already did it when login to his machine).

Thomas

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3889293#3889293

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3889293