2 Replies Latest reply on Mar 1, 2005 9:41 AM by bonoc

Mixed Security Domains

bonoc Feb 28, 2005 4:38 PM

We have different clients that require different authentication sources. For instance, our external clients user/pass are kept in a DB whereas our internal user/pass are kept in ActiveDirectory. I would like to extend the security layer of jboss to use the "client type" to decide which security store to authenticate against. I would also like this to be transparent to the client and do not want to deploy each service multiple times for each client type to use a different security scheme. Additionally all of the role and other security information that we use (privileges etc..) are always in the DB. So in a nutshell I would like to

1) perform authentication using a client-dependent "store"
2) retreive authorization from some other "store"

What is the recommended approach to accomplish the above?

I know that I can "piggy back" the "client type" parameter on the method invocation that can later be used in the security manager to "decide" where to look.

Thanks,
Chris

1. Re: Mixed Security Domains

tcherel Mar 1, 2005 9:04 AM (in response to bonoc)

I believe that with a custom JAAS login module (both server and client), you should be able to provide the extra "client type" information from the client (using a custom JAAS module on the client that does "similar" things as the default JBoss client module) and, on the server, using another JAAS login module that is expecting the client type information, you should be able do the required authentication.

It is a lot of "should" and "believe", but I am pretty sure that this is the way you should try to solve your problem.

Thomas
Actions
2. Re: Mixed Security Domains

bonoc Mar 1, 2005 9:41 AM (in response to bonoc)

Hi Thomas,

That is pretty much the path I am heading down. I just wanted to make sure there was not a cleaner "easier" approach.

Thanks,
Chris
Actions

Go to original post