-
1. Re: login-config.xml in the ear
kanagawa Aug 27, 2003 9:00 AM (in response to vprise)I have this same problem... did you ever manage to find a way to make it work?
-
2. Re: login-config.xml in the ear
tthiele Sep 4, 2003 3:04 AM (in response to vprise)Even without paid JBoss documentation one should cope with the JAAS part of JBoss. All nessesary things are described in the QuickStart or elsewhere because JBoss follows the standard. Nothing is wrong with this imho. It is a fundamental concept of JAAS that the login modules (PAM's) are provided by the application server and not by the application itself. If your applications want/need full control over the security issues you should dispose of all declarative security (resp. JAAS) and write thes parts by hand (the old traditional way).
I had the same problem, but we decided to educate our customers and convince them that the pluggable authentication is a valueable thing and it's worth to make a little administrative efford. It worked and all are happy with that. -
3. Re: login-config.xml in the ear
kanagawa Sep 4, 2003 6:04 AM (in response to vprise)Can you direct me to the relevant standards documents or JSRs? I must be missing something important in my understanding of the J2EE architecture. It doesn't yet make sense that the enterprise application should be able to describe the security domain to which it wishes to belong, but not also define a new security domain with new authentication requirements and modules.
-
4. Re: login-config.xml in the ear
tthiele Sep 4, 2003 10:51 AM (in response to vprise)hmmm... What I can mention without digging much: j2ee-1_3-fr-spec.pdf section J2EE.3.3 and ejb-2_0-fr2-spec.pdf section 19.8.
The deployment descriptors jboss.xml and jboss-web.xml do not _define_ new security domains. They only _reference_ them. Providing these security domains is the business of the application container. This must be leveraged outside the myapp.ear.
Hmmm... as far as I remember/understood the game: There are the roles administrator (or deployer?, runs the app server) and application provider (bean provider resp. assembler? - delivers the .ear).
The idea is that the administrator is responsible for the application server and he doesn't trust the application provider at all. So the application provider must not be able to control the security domain (by means of the 'standard'). -
5. Re: login-config.xml in the ear
kanagawa Sep 4, 2003 11:01 AM (in response to vprise)I suspect you're correct about the intent--server administrators shouldn't trust the application; but, when an application deployment descriptor can deploy into an arbitrary security domain and set its EJBs to run-as an arbitrary role, its kind-of moot. The application provider really runs the show, at that point. I'll take a look at the specifications and let you know if I find anything interesting.
-
6. Re: login-config.xml in the ear
tthiele Sep 4, 2003 3:05 PM (in response to vprise)the correct part which you should watch is: j2ee-1_3-fr-spec.pdf section J2EE.2.10.4 (see paragraph "Configuration")