DynamicLoginConfig equivalent for stand-alone EAR deployments
zbedell Sep 14, 2012 5:01 PMGreetings all,
I'm exploring what will be required to migrate my organization's many JBoss 4.2.3 application servers up to JBoss 7.x (currently looking at 7.1.1.Final). One of the main reasons we're looking to move is that we've found that using isolated classloaders for EAR deployments only "mostly" works in 4.2.3, and the new classloading system in JBoss 7 looks like it does a much better job of keeping deployements' classes truly separated. We generally run anywhere from a few up to a dozen separate EAR files deployed to a single JBoss instance, so being able to have EAR files that are fully self-contained is attractive to us.
To date, we've managed to get our deployments in JBoss 4.2.3 to be fully self-contained except for library JAR files which end up in server/lib. Specifically, all datasource descriptors, JAAS configuration (including the obfuscated database passwords), system property settings, etc. are all loaded via MBeans spawned from jboss-service.xml's within the various EAR files. The up shot of all of this is that when we deploy multiple EAR files to a server, we need only deploy the EARs themselves and the superset of all JAR files required by the various apps (with any version conflicts resolved via cooperation between the teams providing the apps). We don't need to edit any of the global JBoss configuration files (such as conf/jboss-service.xml or conf/login-config.xml) as the EAR-embedded MBeans allow us to influence the server-wide configuration in a far more compartmentalized fashion. This has eliminated a huge amount of contention where modifying especially login-config.xml in the past required careful coordination between groups sharing an app server and caused complications with maintaining separate single-app versions of the file for individual developers' local testing versus the combined version for use on live servers.
So now looking at JBoss 7.1, I have to admit I'm a little aghast what what I see with respect to keeping per-app configuration out of the server-wide config files. JBoss 7.0 doesn't appear to have supported *-ds.xml files at all for datasources, so I'm thankful that 7.1.1 appears to, admittedly as second-class citizens versus placing DB configuration directly in configuration/standalone.xml. The absence of org.jboss.varia.property.SystemPropertiesService was somewhat disconcerting, but fortunately I was able to modify that class from JBoss 4.2.3 to provide the minimum necessary functionality (loading properties from a *.properties file), and deploy that as a global JBoss module.
That leaves one rather major stumbling block in terms of org.jboss.security.auth.login.DynamicLoginConfig. Presently, we deploy that MBean in each EAR's jboss-service.xml and reference a private login-config.xml also deployed within the EAR file. Something like:
<mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
name="sample-app:service=DynamicLoginConfig,domain=YOUR_EAR_NAME">
<attribute name="AuthConfig">META-INF/login-config.xml</attribute>
<depends optional-attribute-name="LoginConfigService">
jboss.security:service=XMLLoginConfig
</depends>
<depends optional-attribute-name="SecurityManagerService">
jboss.security:service=JaasSecurityManager
</depends>
</mbean>
Under JBoss 7.1, that MBean is no longer available, and Googling around and searching the JBoss Community Forums has led to a number of various requests for an equivalent, all of which are pointed towards modifying standalone.xml. That solution is a huge step backwards in terms of encapsulating application-specific configuration as it now requires deploying an EAR file and also monkeying around with global application server configuration files for each EAR that's deployed. Testing a single application locally requires a differently modified config file that running all applications on a live server, so inevitable configuration bugs are introduced in maintaining separate versions of a very complicated XML configuration file.
So to finally get to a real question…
Is there any mechanism in JBoss 7.1.1 which can load JAAS configurations from a location outside configuration/standalone.xml? We need a way for each application to specify its own configuration without interfering with other applications sharing the server. Something embedded in the EAR would be ideal, though if there were a way to deploy separate XML configuration files to standalone/configuration or similar and have them loaded, that would work. Having to coordinate edits to a single shared configuration file across applications is inherently troublesome and something we've worked very hard to avoid.
We use per-app JAAS configuration both to setup actual login modules (we have a custom LoginModule which operates against our rather complicated in-house authenticated webservices) and also to provide database credentials in an obfuscated form via org.jboss.resource.security.SecureIdentityLoginModule. It appears JBoss 7.1's solution for the latter option is to use the vault facility, though that as well looks problematic. From what I've been able to gather, the vault facility uses a single keystore file to hold encrypted passwords for the entire app server. Contrasted to the JBoss 4.2.3 mechanism where the password encryption process yields only an encrypted string which can be pasted into config files or system properties without being dependent on a file that's global to the app server. I suspect that there may be some way to plug in to PicketBox with some other magic ${…} syntax to provide self-contained encrypted passwords, but I've not yet delved in to try and find that.
Philosophically speaking, it seems to me that anything which requires editing global server files to deploy an application is inherently counter to the idea of JEE application encapsulation. The idea of dropping a single self-contained EAR file into a directory and having it able to configure itself and operate without additional meddling is a very attractive approach.
If anyone has any suggestions on how to resolve this, I'd very much appreciate the help.
Best regards,
Zac Bedell