Security Requirements Document

Version 5

    This document will collect the requirements for security for the various JBoss Community projects in one place.

    Projects Providing Requirements

    1. JBoss Application Server
    2. Aerogear
    3. JBoss Developer Framework/JBossWay
    4. RESTEasy
    5. GateIN
    6. DeltaSpike
    7. ModeShape
    8. Teiid

     

     

    Requirements

     

    (In Progress)

     

    1. Need simpler application security programming model.
    2. Need better control over authentication mechanism.
    3. Need security detached from the containers.
    4. Need an Identity Management Model. (Represent Users/Roles/Groups/Attributes with databases/ldap).
    5. Need Challenge/Response based authentication model.
    6. Need fine grained authorization and permission model.
    7. Need support for SAML2, OAuth2, JOSE.
    8. Operations on the Identity Model automatically flush any authentication caches.

     

     

    Special requirements from DML:

    • Authorization framework that is compatible with the EJB security model and also integrates with EE 7 security manager requirements and AccessControlContext
    • Possible alternative to AccessControlContext for performance-sensitive applications
    • Long term, a possibly fine-grained authorization framework for server and domain management
    • Consolidated secure materials management (key management, certificate management, trust management)
    • Alternative authentication mechanisms (e.g. private key authentication, maybe revisit SRP) for web and SASL (in addition to supporting existing mechanisms such as so-called "silent" auth)
    • Support alternative identity/principal types (e.g. public keys, certificates) in addition to user name
    • Support multiple identity realms based on selection criteria (realm if supported, or other criteria such as source IP address, chosen auth mechanism, or other principal like client cert)

     

     

     

    Steps Taken

    PicketBox5  Requirements:  https://docs.jboss.org/author/display/SECURITY/PicketBox+Requirements+Document

    PicketLink3 Requirements: https://docs.jboss.org/author/display/PLINK/Requirements+Document

     

    Reference

    1. Authentication API Design
    2. Identity Model Requirements