Web Authorization and Audit

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Web Authorization and Audit

Anil Saldhana
Marcus,
   this is in regard to your proposed changes to JBossWebRealm for the
authorization bits.

https://github.com/mmoyses/jboss-as/commit/ba3c43f8dfc9c201098392c5ebf90474e49aa5a8

Previously, AS5/6, we had the JBoss Authorization enabled by default.  
IMO for AS7, you have taken the right approach to allow user to
configure whether to use JBoss Authz via jboss-web.xml setting.

We need to get this merged asap such that I can finish the auditing task
I am currently working on.

Regards,
Anil

_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Web Authorization and Audit

Marcus Moyses
jboss-metadata-Beta14 is already being used in pom.xml so you already
have the parsing of disable-audit element in jboss-web.xml.

On 10/18/2011 12:09 PM, Anil Saldhana wrote:

> Marcus,
>     this is in regard to your proposed changes to JBossWebRealm for the
> authorization bits.
>
> https://github.com/mmoyses/jboss-as/commit/ba3c43f8dfc9c201098392c5ebf90474e49aa5a8
>
> Previously, AS5/6, we had the JBoss Authorization enabled by default.
> IMO for AS7, you have taken the right approach to allow user to
> configure whether to use JBoss Authz via jboss-web.xml setting.
>
> We need to get this merged asap such that I can finish the auditing task
> I am currently working on.
>
> Regards,
> Anil
>
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev

--
Marcus Moyses
Senior JBoss Core Developer
JBoss by Red Hat

_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Web Authorization and Audit

Anil Saldhana
No,  I need to add the audit to the authorization section of JBossWebRealm.

On 10/18/2011 09:14 AM, Marcus Moyses wrote:

> jboss-metadata-Beta14 is already being used in pom.xml so you already
> have the parsing of disable-audit element in jboss-web.xml.
>
> On 10/18/2011 12:09 PM, Anil Saldhana wrote:
>> Marcus,
>>      this is in regard to your proposed changes to JBossWebRealm for the
>> authorization bits.
>>
>> https://github.com/mmoyses/jboss-as/commit/ba3c43f8dfc9c201098392c5ebf90474e49aa5a8
>>
>> Previously, AS5/6, we had the JBoss Authorization enabled by default.
>> IMO for AS7, you have taken the right approach to allow user to
>> configure whether to use JBoss Authz via jboss-web.xml setting.
>>
>> We need to get this merged asap such that I can finish the auditing task
>> I am currently working on.
>>
>> Regards,
>> Anil
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Web Authorization and Audit

jtgreene
Administrator
In reply to this post by Anil Saldhana
On 10/18/11 9:09 AM, Anil Saldhana wrote:

> Marcus,
>     this is in regard to your proposed changes to JBossWebRealm for the
> authorization bits.
>
> https://github.com/mmoyses/jboss-as/commit/ba3c43f8dfc9c201098392c5ebf90474e49aa5a8
>
> Previously, AS5/6, we had the JBoss Authorization enabled by default.
> IMO for AS7, you have taken the right approach to allow user to
> configure whether to use JBoss Authz via jboss-web.xml setting.
>
> We need to get this merged asap such that I can finish the auditing task
> I am currently working on.

Just work off his commit then. That's the whole point of GIT, that a
developer doesn't race getting their commits in.

--
Jason T. Greene
JBoss AS Lead / EAP Platform Architect
JBoss, a division of Red Hat
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Web Authorization and Audit

Anil Saldhana
On 10/18/2011 09:18 AM, Jason T. Greene wrote:

> On 10/18/11 9:09 AM, Anil Saldhana wrote:
>> Marcus,
>>     this is in regard to your proposed changes to JBossWebRealm for the
>> authorization bits.
>>
>> https://github.com/mmoyses/jboss-as/commit/ba3c43f8dfc9c201098392c5ebf90474e49aa5a8 
>>
>>
>> Previously, AS5/6, we had the JBoss Authorization enabled by default.
>> IMO for AS7, you have taken the right approach to allow user to
>> configure whether to use JBoss Authz via jboss-web.xml setting.
>>
>> We need to get this merged asap such that I can finish the auditing task
>> I am currently working on.
>
> Just work off his commit then. That's the whole point of GIT, that a
> developer doesn't race getting their commits in.
>
I am go to cherry pick this commit.  But I would like Marcus's changes
merged so that the sec propagation issue is tested.

_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Web Authorization and Audit

Rémy Maucherat
In reply to this post by Anil Saldhana
On Tue, 2011-10-18 at 09:09 -0500, Anil Saldhana wrote:
> Marcus,
>    this is in regard to your proposed changes to JBossWebRealm for the
> authorization bits.
>
> https://github.com/mmoyses/jboss-as/commit/ba3c43f8dfc9c201098392c5ebf90474e49aa5a8
>
> Previously, AS5/6, we had the JBoss Authorization enabled by default.  
> IMO for AS7, you have taken the right approach to allow user to
> configure whether to use JBoss Authz via jboss-web.xml setting.

I didn't know what the default value for the useJBossAuthorization flag
was supposed to be, so feel free to propose changing it.

--
Remy Maucherat <[hidden email]>
Red Hat Inc

_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Web Authorization and Audit

Anil Saldhana
On 10/18/2011 10:19 AM, Remy Maucherat wrote:

> On Tue, 2011-10-18 at 09:09 -0500, Anil Saldhana wrote:
>> Marcus,
>>     this is in regard to your proposed changes to JBossWebRealm for the
>> authorization bits.
>>
>> https://github.com/mmoyses/jboss-as/commit/ba3c43f8dfc9c201098392c5ebf90474e49aa5a8
>>
>> Previously, AS5/6, we had the JBoss Authorization enabled by default.
>> IMO for AS7, you have taken the right approach to allow user to
>> configure whether to use JBoss Authz via jboss-web.xml setting.
> I didn't know what the default value for the useJBossAuthorization flag
> was supposed to be, so feel free to propose changing it.
>
Remy, it should be false by default.  We do not want it enabled until
user wants to either use JACC or XACML or wants to write custom
authorization.

_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Web Authorization and Audit

jtgreene
Administrator
In reply to this post by Anil Saldhana
On 10/18/11 9:31 AM, Anil Saldhana wrote:

> On 10/18/2011 09:18 AM, Jason T. Greene wrote:
>> On 10/18/11 9:09 AM, Anil Saldhana wrote:
>>> Marcus,
>>> this is in regard to your proposed changes to JBossWebRealm for the
>>> authorization bits.
>>>
>>> https://github.com/mmoyses/jboss-as/commit/ba3c43f8dfc9c201098392c5ebf90474e49aa5a8
>>>
>>>
>>> Previously, AS5/6, we had the JBoss Authorization enabled by default.
>>> IMO for AS7, you have taken the right approach to allow user to
>>> configure whether to use JBoss Authz via jboss-web.xml setting.
>>>
>>> We need to get this merged asap such that I can finish the auditing task
>>> I am currently working on.
>>
>> Just work off his commit then. That's the whole point of GIT, that a
>> developer doesn't race getting their commits in.
>>
> I am go to cherry pick this commit. But I would like Marcus's changes
> merged so that the sec propagation issue is tested.
>

It will be looked at the next time the queue is merged, just like all
the other patches in queue.

--
Jason T. Greene
JBoss AS Lead / EAP Platform Architect
JBoss, a division of Red Hat
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Web Authorization and Audit

Bill Burke
In reply to this post by Anil Saldhana
Would be cool to see a very small writeup (even just an example
web.xml/jboss-web.xml) that shows:

a) What we *have* to support because of Java EE 6.

b) What we *actually* want users to use.

Having feature checkmarks is great, but these security interfaces really
need a facelift.  It still doesn't seem like a lot of effort is being
put into the usability of both consuming a security plugin and writing one.

On 10/18/11 10:09 AM, Anil Saldhana wrote:

> Marcus,
>     this is in regard to your proposed changes to JBossWebRealm for the
> authorization bits.
>
> https://github.com/mmoyses/jboss-as/commit/ba3c43f8dfc9c201098392c5ebf90474e49aa5a8
>
> Previously, AS5/6, we had the JBoss Authorization enabled by default.
> IMO for AS7, you have taken the right approach to allow user to
> configure whether to use JBoss Authz via jboss-web.xml setting.
>
> We need to get this merged asap such that I can finish the auditing task
> I am currently working on.
>
> Regards,
> Anil
>
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Web Authorization and Audit

Anil Saldhana
Bill,
  I agree on the usable security part of the arguments and we will do
whatever we can.

Typically, I write articles such as the ones for JBoss AS5.1
http://java.dzone.com/users/janilsal

This is what I have for AS7.1
http://community.jboss.org/wiki/JBossAS7SecurityDomainModel
http://community.jboss.org/wiki/JBossAS7SecurityAuditing

I will provide a writeup on the EE web security you have asked for,
later in the day.

Regards,
Anil

On 10/18/2011 10:33 AM, Bill Burke wrote:

> Would be cool to see a very small writeup (even just an example
> web.xml/jboss-web.xml) that shows:
>
> a) What we *have* to support because of Java EE 6.
>
> b) What we *actually* want users to use.
>
> Having feature checkmarks is great, but these security interfaces really
> need a facelift.  It still doesn't seem like a lot of effort is being
> put into the usability of both consuming a security plugin and writing one.
>
> On 10/18/11 10:09 AM, Anil Saldhana wrote:
>> Marcus,
>>      this is in regard to your proposed changes to JBossWebRealm for the
>> authorization bits.
>>
>> https://github.com/mmoyses/jboss-as/commit/ba3c43f8dfc9c201098392c5ebf90474e49aa5a8
>>
>> Previously, AS5/6, we had the JBoss Authorization enabled by default.
>> IMO for AS7, you have taken the right approach to allow user to
>> configure whether to use JBoss Authz via jboss-web.xml setting.
>>
>> We need to get this merged asap such that I can finish the auditing task
>> I am currently working on.
>>
>> Regards,
>> Anil
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Web Authorization and Audit

Anil Saldhana
Bill,
   here is an article that I wrote to basically dump my understanding.
http://community.jboss.org/wiki/PrimerOnWebSecurityInJBossAS

I know it is not comprehensive and you need more information, but it is
a start.

Regards,
Anil

On 10/18/2011 11:30 AM, Anil Saldhana wrote:

> Bill,
>    I agree on the usable security part of the arguments and we will do
> whatever we can.
>
> Typically, I write articles such as the ones for JBoss AS5.1
> http://java.dzone.com/users/janilsal
>
> This is what I have for AS7.1
> http://community.jboss.org/wiki/JBossAS7SecurityDomainModel
> http://community.jboss.org/wiki/JBossAS7SecurityAuditing
>
> I will provide a writeup on the EE web security you have asked for,
> later in the day.
>
> Regards,
> Anil
>
> On 10/18/2011 10:33 AM, Bill Burke wrote:
>> Would be cool to see a very small writeup (even just an example
>> web.xml/jboss-web.xml) that shows:
>>
>> a) What we *have* to support because of Java EE 6.
>>
>> b) What we *actually* want users to use.
>>
>> Having feature checkmarks is great, but these security interfaces really
>> need a facelift.  It still doesn't seem like a lot of effort is being
>> put into the usability of both consuming a security plugin and writing one.
>>
>> On 10/18/11 10:09 AM, Anil Saldhana wrote:
>>> Marcus,
>>>       this is in regard to your proposed changes to JBossWebRealm for the
>>> authorization bits.
>>>
>>> https://github.com/mmoyses/jboss-as/commit/ba3c43f8dfc9c201098392c5ebf90474e49aa5a8
>>>
>>> Previously, AS5/6, we had the JBoss Authorization enabled by default.
>>> IMO for AS7, you have taken the right approach to allow user to
>>> configure whether to use JBoss Authz via jboss-web.xml setting.
>>>
>>> We need to get this merged asap such that I can finish the auditing task
>>> I am currently working on.
>>>
>>> Regards,
>>> Anil
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev

_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev