| Feature-ID |
Owner |
Man Days |
Priority |
Description |
Status/Comments |
| SEC-001 |
Sudarsan |
7 |
1 |
Fixing master password set in javax.net.ssl.keyStorePassword and javax.net.ssl.trustStorePassword system properties |
80% complete, cleaned up code in Admin and Security Modules that deal with this. Working to fix how Grizzly gets this information securely. There is also a JarSigner usage in AppClient that seems to expect a password from the SecuritySupport SPI which needs to be cleaned up similarly |
| SEC-002 |
Kumar/Nithya |
10 |
1 |
Cleanup universal grants in server.policy |
some of the universal grants in server.policy are too accomodating and we need to clean it up to make the appserver more secure by default. |
| SEC-003 |
Nithya |
10 |
3 |
Securing access to the NameService |
80% complete, fix also backported to v3.0.1., details here , Additional work is to make enhancements that were being experimented for Puma, Utilize the code changes Ron made |
| SEC-004 |
Kumar & Nithya |
? |
3 |
FailOver and Loadbalancing of Secure IIOP requests |
Dependency on Corba team. See Corba Slides |
| SEC-005 |
Nithya & Kumar |
? |
3 |
WebLogic Deployment Descriptor Support |
More details here |
| SEC-006 |
Sudarsan |
Completed |
2 |
Extend Certificate realm to allow custom validation and group assignment based on the recieved client certificate in an SSL Mutual Authentcation. |
Completed |
| SEC-007 |
Nithya |
5 |
3 |
Finalize the support for PAM Realm in V3.1. This will allow secure apps deployed on V3.1 to authenticate its users against the native Solaris/Linux users list. |
90% done. |
| SEC-008 |
Nithya/Kumar |
10 |
3 |
Use of Tubes in GlassFish instead of Pipes for supporting Asychrony. Methods on the pipe are synchronous and hold on to the thread. |
Risk : There is some talk of JAXWS defning another new API. Need to check on its timelines. |
| SEC-009 |
Kumar |
20 |
3 |
Support for application scoped permissions : policies bundled in application jar's |
Could be more powerful if 10) is implemented |
| SEC-010 |
Kumar/Ron |
(mostly e-mail communication - not full time work) |
3 |
Coordinate with the classloader team on retaining the Jar Signer information. |
|
| SEC-011 |
Kumar/Nithya |
15 |
3 |
Support for custom web principals |
Users requested this feature on the forums and also required for spec compatibility w.r.t Servlet Profile of JSR 196 (see ron's notes ) |
| SEC-012 |
Kumar/Nithya |
15 |
4 |
Support for Dynamic Keystores. GlassFish currently has the limitation that Key-Passwords have to be the same as KeyStore Password |
( http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#KeystoreFormats ). The java.security.KeyStore.Builder class abstracts the construction and initialization of a KeyStore object. It supports the use of CallbackHandlers for password prompting and can be subclassed to support additional features as desired by an application. For example, it is possible to implement a Builder that allows individual KeyStore entries to be protected with different passwords. The javax.net.ssl.KeyStoreBuilderParameters class then can be used to initialize a KeyManagerFactory using one or more of these Builder objects. |
| SEC-013 |
Ron |
? |
1 |
Fixing defects in the Security chapter of Servlet 3.0 |
|
| SEC-014 |
Ron & Kumar |
25 |
4 |
including a portable JAAS based jsr 196 AuthConfigProvider as a separate module within Glassfish (to allow the configuration of Servlet (and perhaps SOAP) based auth modules via the standard JAAS config file. |
|
| SEC-015 |
Kumar & Nithya |
? |
1 |
OAM support for 3.1. In addition, OAM support enables us to use OWSM for configuring web services policy and therefore we will have to also test OWSM interop for 3.1 |
we will need to provide a backport for 2.x release. More details on the current proposal for OAM support are here . The OWSM interop scenarios defined would require support for Policy Alternatives in Metro 2.1 . |
| SEC-016 |
Kumar & Nithya |
? |
1 |
Security related CLI support for 3.1 |
Need to verify existing security related CLIs and provide --target support to enable cluster security infrastructure support. Refer to GlassFish 3.1 features wiki (Security section) for complete CLI list. |
