0 Replies Latest reply on May 4, 2009 11:34 AM by Sven Borkert

    Security in loadbalanced webapplications

    Sven Borkert Newbie


      I tried to figure out some details about JBossSX security and JAAS authentication form inside a webapplication in JBoss. The most documentation I can find is about how to write LoginModules, how to protect resources, etc. That’s not the problem.

      What I would like to know is a more detailed description of what happens when authenticating a webapplication, maybe with BASIC or FORM authentication. I enter my credentials, the JaasSecurityManager uses the LoginModule(s) configured for the security domain to check the credentials and find out what roles the user is in. Then the mechanisms inside the webcontainer can determine if I may send something to the URL I requested or not.

      A user wants to enter his credentials only once, so the authentication/authorization gets cached. HTTP Basic authentication means that the Client will send username and password base64 encoded with every request to the same server/domain. FORM sends the credentials only once and a web session gets created and the authentication remembered via session. The authenticated client can be tracked by a session cookie that gets sent with every request. JaasSecurityManager uses an internal cache to prevent calling LoginModules too frequently to reduce overhead.

      I had a closer look at the source of JaasSecurityManager and enables some debug output. I can see that the credentials get checked the first time I log in, but I can’t see anything happen the next http requests. Do the security mechanisms of the webcontainer have another cache? I’d like to know what classes are involved here that call the SecurityManager.

      What would happen in a loadbalanced JBoss environment? I could enable session replication, but I think as the SecurityManager is not part of the webcontainer, this would not help much. With BASIC authentication, the credentials sent by the browser could be used to authenticate again against the SecurityManager, but what is with FORM authentication? Do the credentials get stored somewhere in the web session?

      Do I maybe need to do replication of the SecurityManager Cache? I’m not experienced in JBoss clusters, so I don’t know what exactly can be shared in a loadbalanced JBoss cluster.

      I’d be happy to have a documentation about how all this works in detail. I just could not find the right documents yet, maybe somebody could give me some hints and tell me where to look.