Bug 1036160

*** Bug 1035894 has been marked as a duplicate of this bug. ***

Verification failed.

There is a lot of EAP 5 specific information in the new chapter. It will need a detail review.

After a quick look can I see following problems (but there will be much more IMO):

* XML examples with security domains (application-policies) are not valid for EAP 6

* examples in the Password Hashing section should use rather SHA-256 than MD5

* remove module options from the chapter and include a reference to corresponding tables in "Included Authentication Modules"

[1] http://documentation-devel.engineering.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Enterprise_Application_Platform_Common_Criteria_Certification/6.2.2/html-single/Security_Guide/index.html#Included_Authentication_Modules1

In discussion with Peter Skopek we agreed that he, or another SME, would review the content of chapter 16 and provide feedback. To make this task as easy as possible, I have copied the chapter's text to an Etherpad [1].

Once we have that feedback, we will work on editing the chapter as required.

[1] http://etherpad.corp.redhat.com/jboss-eap6-cc-login-modules-chapter-review

Russell, you can find my changes to the text in etherpad [1].

[1] http://etherpad.corp.redhat.com/jboss-eap6-cc-login-modules-chapter-review

Attention: Peter

All feedback in the Etherpad has been incorporated into the CC edition of the Security Guide, which can be verified at [1].

[1] http://docbuilder.usersys.redhat.com/22671/

Attention: Peter

In the text, it seems that instead of "Login Modules", this chapter should be titled "Authentication Modules". What do you think?

@Russell here is my feedback:

1. "Procedure 16.1. Secure Web Applications with Certificates and Role-based Authorization": change name of secured application to something different than jmx-console.war it evokes older versions if EAP. My suggestion "user-app.war"

2.  Can we make chapter "16.1.11. RunAsIdentity Creation" move one level deeper as it really is related to "16.1.10. RunAs Login Module"?

3. "16.1.13. SPNEGOUsers Login Module": this name of SPNEGO is an alias. I would like to see there "SPNEGO" used instead of "SPNEGOUsers". Sorry for not noticing it the first time.

4. missing class names in login module tables:

"Table A.1. RealmDirect" class is org.jboss.as.security.RealmDirectLoginModule
"Table A.3. Client" class is org.jboss.security.ClientLoginModule
"Table A.5. Remoting" class is org.jboss.as.security.remoting.RemotingLoginModule

5. login modules Certificate and CertificateUsers are the same. You can delete "Table A.9. CertificateUsers" and "Table A.10. CertificateUsers Module Options"

6. "Table A.25. RunAs" class cell contains "Class:" which redundant in this place.

7. In "Table A.37. SPNEGOUsers" and "Table A.38. SPNEGOUsers Module Options" rename SPNEGOUsers to SPNEGO as suggested in #3

WRT: Renaming the chapter to "Authentication Modules": I think that we should stay with the current name (Login Modules) as couple of them are also performing authorization tasks, so we might put more confusion to the whole thing than necessary.

@Russell: I have checked fixes to my feed back from comment #9. 
All is fine and #3 is not possible due to technical problems in docs build system (as discussed on IRC).

Reopening.
The example in the SPNEGO section is not displayed:
http://documentation-devel.engineering.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Enterprise_Application_Platform_Common_Criteria_Certification/6.2.2/html-single/Security_Guide/index.html#SPNEGOLoginModule

The problem with the missing example from the SPNEGO section, mentioned in comment 11, has been resolved. This can be verified in revision 6.2.2-11 (or higher) at [1].


[1] http://documentation-devel.engineering.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Enterprise_Application_Platform_Common_Criteria_Certification/6.2.2/html-single/Security_Guide/index.html#SPNEGOLoginModule

Verified in Revision 6.2.2-12 of the CC edition of the Security Guide.