If I have understood it correctly, then Jboss uses only JAAS Authentication but not JAAS-Authorization to provide the JBoss security framework. The authorization provided is Servlet-Authorization and EJB-authorization. So authorization is based on servlet url permissions resp. EJB method permissions.
For my project I have to provide JAAS authorization with everything what belongs to it (AccessController, Permission and policy implementation and so on). So we could add new kinds of permissions every time we want.
I thought I only have to change the JAASSecurityManager implementation with my self written new SecurityManager and conveniently integrate into the existing framework.
Is that possible??? It would be great because then I wouldn't have to dispense with the implemented MBeans for LoginModule-Configuration etc.
But after reading the documentation I got the feeling, that even if I write a new JAASSecurityManager, it can only be for the purpose to provide the Servlet resp. EJB security. But I don't want EJB/Servlet security. I want to provide JAAS authorization.
I want to implement at least, if nothing else is possible, the interface AuthenticationManager (or use the existing authentication part of JAASSecurityManager) BUT NOT the RealmMapping interface.
I don't want role based model with fixed permissions. I want to provide whole JAAS authorization.
Is it impossible within the JBoss security framework??
If it is impossible, is there any other way to use the existing authentication implementation and everything what belongs to it(the MBeans). I don't to write new DTDs etc. to provide LoginConf.xml. I want to use the existing ones.
But without implementing RealmMapping.
Hope you understood what I mean. I would be very happy to get an answer that makes everything a bit clearer