3 Replies Latest reply on Apr 20, 2006 12:15 PM by Anil Saldanha

    How to disable SecurityAssociationVavle

    chris griffith Expert

      Anyone know how to ask JBoss not to add the SecurityAssociationValve to Tomcat pipeline?

      I am deploying an web-app in Tomcat embedded in JBoss (4.0.2) that does not need to access any EJB's. I would like to not have the SecurityAssociationValve added.

      Thanks for any help, cgriffith

        • 1. Re: How to disable SecurityAssociationVavle
          Anil Saldanha Master

          Chris,
          there is no real overhead in the existence of the valve and is necessary (not just for identity propogation but also to associate the SecurityAssociation info with the request thread).

          TomcatDeployer.java :-

          /* Add security association valve after the authorization
           valves so that the authenticated user may be associated with the
           request thread/session.
           */
           SecurityAssociationValve valve = new SecurityAssociationValve(metaData,
           config.getSecurityManagerService());
           valve.setSubjectAttributeName(config.getSubjectAttributeName());
           server.invoke(objectName, "addValve",
           new Object[]{valve},
           new String[]{"org.apache.catalina.Valve"});
          


          Moral: This valve is a JBoss internal valve and should not be removed. :-)



          • 2. Re: How to disable SecurityAssociationVavle
            chris griffith Expert

            Anil,

            I will take that as a "no easy way to remove it."

            My situation is more of an annoyance than a real need.

            I have an web-app that uses a custom Realm and a custom Principal. My design was that these items could be used by others (in my organization) to secure applications running in Tomcat, but not necessarily embedded in JBoss. Many of my fellow developers do not even deal with EJB's or utilize any of JBoss' wonderful services, but share my deployment environment. Others have there own standalone Tomcat instance.

            So a particular application of mine that uses these custom classes is getting a ClassCastException in SecurityAssociationValve as it tries to cast my custom Principal to a JBossGenericPrincipal. Although this does not affect the performance of the app, I just would like to not have the valve around in this situation.

            Have a great day, cgriffith

            • 3. Re: How to disable SecurityAssociationVavle
              Anil Saldanha Master

              Chris,
              the JBossGenericPrincipal is needed for Tomcat authorization in the realms (JBossSecurityManagerRealm and Jacc.....Realm) and in Tomcat RealmBase class. So as a first step, you need to see how your custom principal maps to GenericPrincipal.

              Cheers.