Sorry I was thinking in this configuration file:
<application-policy name = "jmx-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name="usersProperties">props/jmx-console-users.properties</module-option> <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option> </login-module> </authentication> <authorization> <customPolicy code="org.jboss.security.auth.spi.DatabasePolicy"> <module-option name="dataSource">java:/DefaultDS</module-option> </customPolicy> </authorization> </application-policy>
There was an original thought to have a complete policy specified, but with the introduction of JACC and other authorization standards like XACML the configuration of authentication and authorization are two seperate services.
The current security api and services need to be updated to support interop with the new security standards in a pluggable manner.
If you could give a list of the necessary improvements to be done in the current security api and services I thank you a lot.
I take a look in the Sun´s XACML site and I liked of the idea.
The JACC JBoss implementation delegate the permission(except EJB and WAR permission) to java policy. It will be nice if we could change the policy behavior of the JACC in a flexible manner like said in the last lines of the wiki http://wiki.jboss.org/wiki/Wiki.jsp?page=JACC .
Is there some work in this area ?
Someone already did a prototype of JACC built on XACML and talked about it in a bof at javaone this year. I'll be working with him to get it into the codebase as at least a testcase for an alternate JACC implementation. Here is the dev forum topic that will be used to get the development going:
As I stated there I don't expect to get too much done for a month or so as I'm swamped with 4.0.3 finalization issues.