5 Replies Latest reply on Aug 8, 2008 6:15 AM by heiko.braun

    login 'unification'

    kukeltje
    kukeltje Jul 30, 2008 4:45 AM

      Could someone explain this change to me? I totally miss the reason to switch to property files in combination with keeping the identity module using the database....

      Sounds like a bad choice to me.

      • 1862 Views
      • Tags:
        • 1. Re: login 'unification'
          heiko.braun
          heiko.braun Jul 30, 2008 4:56 AM (in response to kukeltje)

          Relax. This is part of the productization and doesn't impact jbpm3. However replacing the actual JAAS login module is trivial.

          What's the relationship to the identity module? Can you elaborate on this?

            • Actions
          • 2. Re: login 'unification'
            kukeltje
            kukeltje Jul 30, 2008 6:08 AM (in response to kukeltje)

            Heiko,

            Sorry for the kind of rude tone in my comment in Jira, but there are so many changes and things going one without (at least for what it seems public) discussion that it is very hard to follow things and still have a clear overall picture. I sometimes get the impression that people making changes also have no clear picture, a clear picture of jBPM that is. The fact that you ask what the relation is with the identity module to me is an example of this (no offence). Changes like this login config lead to unnecessary discussions, frustrations if changes are discussed upfront.

            Ok, now the elaboration.

            The identity module can be used to do assignments in the workflow engine. There is a kind of 'expression language' that can be used to decide e.g. who should get a task. The default implementation of this uses the database with users, groups, role etc... so when part of this is in files, we either have to duplicate things, keep them in sync or rewrite the identity module to use files (nah... ). The login-config.xml currently uses the same database as identity module, so things are shared and *unified*.

            Using the database instead of files would solve this, so keeping things as they are... regardless of using a .sar for this.

              • Actions
            • 3. Re: login 'unification'
              aguizar
              aguizar Aug 7, 2008 6:46 PM (in response to kukeltje)

              Login users are identity users. To avoid duplication and providing a usable console both must connect to the same data source. A database or an LDAP server are the natural candidates. A properties file is not.

              I like the security configuration mbean to avoid messing with the global login-config.xml file. The UsersRolesLoginModule is a poor default choice, tough. Unless someone mentions a good reason to keep it, I will change it to DatabaseServerLoginModule.

                • Actions
              • 4. Re: login 'unification'
                kukeltje
                kukeltje Aug 7, 2008 8:30 PM (in response to kukeltje)

                +10

                  • Actions
                • 5. Re: login 'unification'
                  heiko.braun
                  heiko.braun Aug 8, 2008 6:15 AM (in response to kukeltje)

                  You got me wrong in the first place. With "unification" I was addressing the the technical means to configure and run it, this is the security configuration mbean.

                  Whatever JAAS login module is used below was not on my plate. But you are right, it should be using the same datastore across modules.

                  Feel free to change it to the DB login module.


                    • Actions