JBoss AS 7.2

First of all, I alraedy have an existing webapp that asks users to authenticate via Active Directory / LDAP. I have the following in my standalone-ha.xml ( with some of the module options replaced with x.x.x.x and yyyyyy for privacy reasons ):

                <security-domain name="ldap">

                    <authentication>

                        <login-module code="LdapExtended" flag="required">

                            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                            <module-option name="java.naming.provider.url" value="ldap://x.x.x.x:yyyy"/>

                            <module-option name="java.naming.security.authentication" value="simple"/>

                            <module-option name="bindDN" value="CN=yyyy,OU=yyyy,DC=yyy,DC=yyy"/>

                            <module-option name="bindCredential" value="xxxxxxx"/>

                            <module-option name="baseCtxDN" value="DC=yyy,DC=yyy"/>

                            <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                            <module-option name="rolesCtxDN" value="DC=aas,DC=priv"/>

                            <module-option name="roleFilter" value="(sAMAccountName={0})"/>

                            <module-option name="roleAttributeID" value="memberOf"/>

                            <module-option name="roleNameAttributeID" value="CN"/>

                        </login-module>

                    </authentication>

                </security-domain>

And in WEB-INF/jboss-web.xml, I then reference this security domain:

<jboss-web>

    <security-domain>java:/jaas/ldap</security-domain><!-- This is the name of the %lt;security-domain&gt; in standalone.xml / standalone-ha.xml -->

    <security-role>

        <description>Map web role names to LDAP role / principal names</description>

        <role-name>INSURANCE_CONFIG_ROLE</role-name><!-- the role name appearing in the standard web.xml dd  -->

        <principal-name>CN=xxxxx,OU=Ixxxxx,OU=xxx,OU=xxxx,OU=xxx,DC=xxx,DC=xxx</principal-name><!-- the existing role in your credential repo -->

    </security-role>

</jboss-web>

The resources are then protected in WEB-INF/web.xml whereby only the users that belong to the has the LDAP role identified in the <principal-name> in WEB-INF/boss-web.xml will be allowed access. The username and password is asked by the browser using <auth-method>BASIC</auth-method> instead of <auth-method>FORM</auth-method>.

That's all fine and dandy.

1) My first question is ....

I have a thick EJB clients using Swing, and I would like the users to be authenticated using the defined security-domains in the profile's xml file ( standalone.xml  / standalone-ha.xml / domain.xml ). I would then like to use JAAS to authenticated the users where users enter their username and password in a Swing dialog box. From the looks of it, the <security-domains> are the equivalent of a JAAS javax.security.auth.login.Configuration ... but how can I have a JAAS javax.security.auth.login.Configuration that basically read from standalone.xml / standalone-ha.xml / domain.xml's <security-domain> ?

e.g. Can the <security-domains> be obtained via JNDI lookup and returned as a Configuration ... so that I can use this Configuration into a code that I will write that uses JAAS LoginContext ?

( The <security-domain> entry in jboss-web.xml looks like a JNDI name )

e.g.:

public LoginContext(String name, Subject subject,

                        CallbackHandler callbackHandler,

                        Configuration config)

.. where Configuration is taken from the security-domains ??

Note that the authentication that I am referring to / wanting to do is

• *NOT* the authentication on the JNDI / EJB lookup and is
• *NOT* the declarative security with EJB3.

2) My second question is ....

How can I have desktop SSO for both webapp and thick client ? That is, authentication is already done via the desktop ( Windows network login/password ) so use that .. but have another mechanism to authorise the users if

For a webapp, I think it is covered basically by the following

https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/Security_Guide/index.html#About_SPNEGO

I still have to figure out what the values in the module properties should be, but can this desktop SSO be also used if JBoss EAP will be running on a linux host ??

Also, assuming all desktop SSO works as per documented above, and assuming that I have the correct values for the various module options ... For a thick-client, I would still want to obtain these security-domains from the standalone.xml / domain.xml  ... which goes back to the first question .. how do I obtain it ?