4 Replies Latest reply on Apr 7, 2008 10:06 PM by techrams

JSR-196 [Java Authentication SPI for Containers] Discussion

anil.saldhana Mar 15, 2006 12:22 PM

I would like to dedicate this thread for discussion on JSR-196 (JASPI).

As you know the container issue for JSR-196 implementation in JBoss 5.0 is:
http://jira.jboss.com/jira/browse/JBAS-2525
Once the prototype stabilizes, we will backport to Branch 4.0

What I am primarily looking for discussion on this thread are:
a) Identification of issues while implementing the JASPI spec, to be fed back to the Expert Group for clarification.
b) Any possible extensions to JSR-196.

Currently, the extensions that need to be made to the JSR-196 spec from my perspective are:
a) A standard configuration similar to JAAS configuration as in:
http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/login/AppConfigurationEntry.html
b) Spec should be extended to include EJB Containers. Currently the specification only handles the Web and the WebService containers.

Scott says: "needs to sync up with the EJB3 interceptors"

Please add extensions that come in your mind, while implementing or reading the specification.

1. Re: JSR-196 [Java Authentication SPI for Containers] Discuss

anil.saldhana Mar 17, 2006 3:13 AM (in response to anil.saldhana)

http://www.jboss.com/index.html?module=bb&op=viewtopic&t=79391

is the discussion on extending JSR-196 to EJB3 interceptors.
Actions
2. Re: JSR-196 [Java Authentication SPI for Containers] Discuss

anil.saldhana Apr 6, 2006 5:39 PM (in response to anil.saldhana)
An issue that needs consideration is whether the ServerAuthModules need to do some form of a handshake with the clientside. This exists in the GSS Style API, Ldap SASL and the following snip from Scott's reply says it further:

Yes, the handshake is a problem. How would digest auth be handled in the web container if all step were delegated to the jsr196 layer? SRP is another gss like protocol that has a multi-request handshake.
Actions
3. Re: JSR-196 [Java Authentication SPI for Containers] Discuss

anil.saldhana Jun 3, 2006 3:47 PM (in response to anil.saldhana)
To consider JSR-196 for JMS, I see an issue:

There is no notion of a JMS message until you have a connection from a connectionfactory. Only when you are creating a connection, would you consider security.

http://java.sun.com/j2ee/1.4/docs/api/javax/jms/ConnectionFactory.html

ConnectionFactory cf = // Connection con = cf.createConnection(String username, String password); //No Message here Session sess = con.createSession(....); //Message will follow later and we have already authenticated

Since JSR-196 would require a message object while passing thru the auth modules, I am wondering whether JSR-196 can be applied to JMS.
Actions
4. Re: JSR-196 [Java Authentication SPI for Containers] Discuss

techrams Apr 7, 2008 10:06 PM (in response to anil.saldhana)

I see that last post has been a while back. Can we know what is the latest status of JSR-196 support in JBoss?
Actions

Go to original post