I just wanted to pick your brain on the following:
Previously, the JBoss Authorization stack was run by default for access
control unless the user configured not to do so. In JBoss AS7.1, we
have this disabled until the user configures the following in jboss-web.xml
I had a brief chat with JFClere last week and decided on the following:
JBossWebRealm will send audit events to the audit framework unless the
following setting is in jboss-web.xml
Audit is the feature that can add miniscule overhead. So if you want to
turn it off the audit by default, you have to change JBossWebRealm to
have: boolean disableAudit = true rather than the current "false". In
that case, we will require the users to configure jboss-web.xml if they
want audit for that particular webapp.
In think the authorization piece does not add any overhead. I just want
to check with you on the audit part.