2 Replies Latest reply on Mar 1, 2005 9:41 AM by chris bono

    Mixed Security Domains

    chris bono Newbie

      We have different clients that require different authentication sources. For instance, our external clients user/pass are kept in a DB whereas our internal user/pass are kept in ActiveDirectory. I would like to extend the security layer of jboss to use the "client type" to decide which security store to authenticate against. I would also like this to be transparent to the client and do not want to deploy each service multiple times for each client type to use a different security scheme. Additionally all of the role and other security information that we use (privileges etc..) are always in the DB. So in a nutshell I would like to

      1) perform authentication using a client-dependent "store"
      2) retreive authorization from some other "store"

      What is the recommended approach to accomplish the above?

      I know that I can "piggy back" the "client type" parameter on the method invocation that can later be used in the security manager to "decide" where to look.

      Thanks,
      Chris

        • 1. Re: Mixed Security Domains
          Thomas Cherel Novice


          I believe that with a custom JAAS login module (both server and client), you should be able to provide the extra "client type" information from the client (using a custom JAAS module on the client that does "similar" things as the default JBoss client module) and, on the server, using another JAAS login module that is expecting the client type information, you should be able do the required authentication.

          It is a lot of "should" and "believe", but I am pretty sure that this is the way you should try to solve your problem.

          Thomas

          • 2. Re: Mixed Security Domains
            chris bono Newbie

            Hi Thomas,

            That is pretty much the path I am heading down. I just wanted to make sure there was not a cleaner "easier" approach.

            Thanks,
            Chris