JBoss5, we have extends mechanism. All you do is
<application-policy name="domain2" extends="somedomain"> </application-policy>
So you can define an hierarchy of security domain configuration.
Either reusing the jmx-console or having the profileservice domain extend it is fine. The ejb roles would need to be updated to use the same JBossAdmin role.
JBAS-7031, The profileservice ejbs now use the jmx-console domain and JBossAdmin as the required role.
Related to JBPAPP-2229, there is a request to not have the ProfileService proxy bindings available globally in jndi. It was further discussed to not use ejbs to provide the secure facade for the ProfileService. Rather, the currently unsecured remoting proxies for the ProfileService should be secured by default in the EAP, and the ejbs removed.
The org.jboss.profileservice.remoting.ProxyFactory bean deployed in the deploy/profileservice-jboss-beans.xml that creates the proxies and jndi bindings. These proxies do have typical client side interceptors, but the server side component is not being secured via a security aspect. That is what should be added to the following profileservice-jboss-beans.xml beans:
as well as the ProfileService bean from the bootstrap/conf/profile.xml deployment.
The above is what I would like to discuss on the Embedded Console call in 55mins.
Which security aspect should we use (org.jboss.security.integration.password.Password?)
I assume that we want to use the jmx-console domain and JBossAdmin role that we just switched to.
Will the client side be using SecurityClient as mentioned here http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4242234 and documented here http://www.jboss.org/file-access/default/members/jbossejb3/freezone/docs/tutorial/1.0.7/html/Security_and_Transactions_in_EJB3.html?
We need something like the deploy/ejb3-interceptors-aop.xml RoleBasedAuthorizationInterceptorFactory which is applied to beans annotated with @SecurityDomain:
<interceptor name="Basic Authorization" factory="org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorFactory" scope="PER_CLASS"/> .. <domain name="Stateless Bean" extends="Intercepted Bean" inheritBindings="true"> <bind pointcut="execution(public * *->*(..))"> <interceptor-ref name="org.jboss.ejb3.ENCPropagationInterceptor"/> <interceptor-ref name="org.jboss.ejb3.security.AuthenticationInterceptorFactory"/> </bind> <bind pointcut="execution(public * @org.jboss.ejb3.annotation.SecurityDomain->*(..))"> <interceptor-ref name="Basic Authorization"/> </bind> <bind pointcut="execution(public * *->*(..))"> <interceptor-ref name="org.jboss.ejb3.security.RunAsSecurityInterceptorFactory"/> </bind> <bind pointcut="execution(public * @org.jboss.ejb3.annotation.Clustered->*(..))"> <interceptor-ref name="org.jboss.ejb3.remoting.ReplicantsManagerInterceptorFactory"/> </bind>
I'm looking at doing this as JBAS-7085.
This issue has been resolved. Note that the profileservice-jboss-beans.xml ProxyFactory bean has a createEjb3Links property which links the remoting proxy bindings to the old ejb3 facade names:
<!-- Create links from secured proxies back to old secured ejb3 facades --> <property name="createEjb3Links">true</property>