4 Replies Latest reply on Mar 16, 2011 9:59 AM by jfclere

    AS7: Construct for centralized security

    anil.saldhana

      We need something similar to JaasSecurityDomain that helps us to centrally configure and obtain keystores, truststores, Secure socket factories... What else?

       

      Projects such as web services, messaging etc need to have some integration code to utilize this central construct.

        • 1. Re: AS7: Construct for centralized security
          mmoyses

          We also need some sort of attribute value masking strategy that can be used by any subsystem in order to mask passwords and other sensitive data in the configuration files.

          • 2. AS7: Construct for centralized security
            dlofthouse

            Do we have any indication as to what this will look like for some of the core AS services such as JBoss Web Configuration, JBossWS configurtion and for use by the LoginModules.

             

            From the perspective of domain management it is looking likely that requirements are going to be very close to those already covered in the core AS i.e.

            • We will need configuration to obtain the keystores / truststores for use by the exposed APIs
            • We will need similar configuration for clients when establishing a connection to an exposed API, i.e. the keystore for the clients identity and a truststore to verify the other end of the connection.
            • Then a Login process on the server side of the connection to authenticart the client based on their cert.

             

            When I have worked with this in previous AS releases one issue that I did encounter was that the configuration of the JBoss Web connector was completely independent of the configuration for the BaseCertLoginModule to perform the authentication of the user it would definately help if this was brought to a point that a common keystore / truststore configuration could then be used.

            • 3. AS7: Construct for centralized security
              dlofthouse

              Actually looking back at your first post you also mention secure socket factories, that could also be very useful to consider so we can avoid the keystores and truststores as much as we can and focus on the ready configured socket factories.

              • 4. AS7: Construct for centralized security
                jfclere

                While thinking to that for mod_cluster and web there was a discussion http://community.jboss.org/thread/154243