4 Replies Latest reply: Mar 16, 2011 9:59 AM by Jean-Frederic Clere RSS

AS7: Construct for centralized security

Anil Saldhana Master

We need something similar to JaasSecurityDomain that helps us to centrally configure and obtain keystores, truststores, Secure socket factories... What else?

 

Projects such as web services, messaging etc need to have some integration code to utilize this central construct.

  • 1. Re: AS7: Construct for centralized security
    Marcus Moyses Novice

    We also need some sort of attribute value masking strategy that can be used by any subsystem in order to mask passwords and other sensitive data in the configuration files.

  • 2. AS7: Construct for centralized security
    Darran Lofthouse Master

    Do we have any indication as to what this will look like for some of the core AS services such as JBoss Web Configuration, JBossWS configurtion and for use by the LoginModules.

     

    From the perspective of domain management it is looking likely that requirements are going to be very close to those already covered in the core AS i.e.

    • We will need configuration to obtain the keystores / truststores for use by the exposed APIs
    • We will need similar configuration for clients when establishing a connection to an exposed API, i.e. the keystore for the clients identity and a truststore to verify the other end of the connection.
    • Then a Login process on the server side of the connection to authenticart the client based on their cert.

     

    When I have worked with this in previous AS releases one issue that I did encounter was that the configuration of the JBoss Web connector was completely independent of the configuration for the BaseCertLoginModule to perform the authentication of the user it would definately help if this was brought to a point that a common keystore / truststore configuration could then be used.

  • 3. AS7: Construct for centralized security
    Darran Lofthouse Master

    Actually looking back at your first post you also mention secure socket factories, that could also be very useful to consider so we can avoid the keystores and truststores as much as we can and focus on the ready configured socket factories.

  • 4. AS7: Construct for centralized security
    Jean-Frederic Clere Master

    While thinking to that for mod_cluster and web there was a discussion http://community.jboss.org/thread/154243