This document will collect the requirements for security for the various JBoss Community projects in one place.
Projects Providing Requirements
- JBoss Application Server
- JBoss Developer Framework/JBossWay
- Need simpler application security programming model.
- Need better control over authentication mechanism.
- Need security detached from the containers.
- Need an Identity Management Model. (Represent Users/Roles/Groups/Attributes with databases/ldap).
- Need Challenge/Response based authentication model.
- Need fine grained authorization and permission model.
- Need support for SAML2, OAuth2, JOSE.
- Operations on the Identity Model automatically flush any authentication caches.
Special requirements from DML:
- Authorization framework that is compatible with the EJB security model and also integrates with EE 7 security manager requirements and AccessControlContext
- Possible alternative to AccessControlContext for performance-sensitive applications
- Long term, a possibly fine-grained authorization framework for server and domain management
- Consolidated secure materials management (key management, certificate management, trust management)
- Alternative authentication mechanisms (e.g. private key authentication, maybe revisit SRP) for web and SASL (in addition to supporting existing mechanisms such as so-called "silent" auth)
- Support alternative identity/principal types (e.g. public keys, certificates) in addition to user name
- Support multiple identity realms based on selection criteria (realm if supported, or other criteria such as source IP address, chosen auth mechanism, or other principal like client cert)
PicketBox5 Requirements: https://docs.jboss.org/author/display/SECURITY/PicketBox+Requirements+Document
PicketLink3 Requirements: https://docs.jboss.org/author/display/PLINK/Requirements+Document