4 Replies Latest reply on Jun 28, 2006 1:16 PM by starksm64

JBAS-1477: Pass in the security-domain name to the login mod

j2ee_junkie Jun 27, 2006 2:33 PM

This thread refers to task http://jira.jboss.com/jira/browse/JBAS-1477.

This simple task is to allow a login module to know what application-policy (i.e. security-domain) it is a member of. This is useful to diagnose configuration problems that default to "other" security domain. However, there are several ways to do this task. The major factors in the decision seem to me to be how deep a change do we want to make and how much user interaction do we want to get this to work. Three options I have come up with are...

1) just add a new module option to AbstractServerLoginModule called securityDomain. If set in config to name of application-policy then it can be displayed during LM init(). This is the easiest to due, requires the least amount of JBossSX changes, but requires a user to add the module-option value in config.

2) do #1 and modify XMLLoginConfigIml to automatically set the option. This makes the user not have to worry about anything.

3) follow my original suggestion in JIRA task. Make a SecurityDomainCallback that can be obtained from LM along with other modifications. This also would require no user interaction, but causes the most amount of change to JBossSX.

I am not sure how you feel about the sometimes competing issues of user friendlieness vs. extent of JBoss modification. Any suggestions appreciated.

thanks, cgriffith

1. Re: JBAS-1477: Pass in the security-domain name to the login

starksm64 Jun 28, 2006 9:54 AM (in response to j2ee_junkie)

Moved to design forum. I'm inclined to pursue approach 2).
Actions
2. Re: JBAS-1477: Pass in the security-domain name to the login

anil.saldhana Jun 28, 2006 10:51 AM (in response to j2ee_junkie)
In HEAD, I have generalized security config to not be Jaas dependent but to cater to both authentication as well as authorization information.

Branch_4_0:
Given this, it boils down to one step:
In XMLLoginConfigImpl, when there is a request made for
public AppConfigurationEntry[] getAppConfigurationEntry(String appName)

you have the appName (which is the securityDomain), you just populate the options with a special keyword (maybe "jboss.security.domain"). This way, the user is not forced to add an option to his LM config. Now any LM that wants to obtain the security domain information, can do so by peeking into the options with this keyword (which can be equivalent to Util.SECURITY_DOMAIN)

I see a need for the following in security for the 4.0 codebase:
1) A security constants interface defining constants.
2) A Security utility class. (Util does it but it is for Jaas only).
Actions
3. Re: JBAS-1477: Pass in the security-domain name to the login

j2ee_junkie Jun 28, 2006 11:01 AM (in response to j2ee_junkie)

Thanks guys for your replies. #2 it is then. Anil, my plan was to do exactly as you have advised. The only question remains then. What versions to do this update to? HEAD and Branch_4_0?

cgriffith
Actions
4. Re: JBAS-1477: Pass in the security-domain name to the login

starksm64 Jun 28, 2006 1:16 PM (in response to j2ee_junkie)

head and 4.0.
Actions

Go to original post