4 Replies Latest reply on Sep 28, 2007 2:18 PM by Anil Saldanha

    Security Integration in JBAS5

    Anil Saldanha Master

      I want to jot down the current effort at integrating security into AS5.

      At the container level (web/ejb), I am injecting 3 things via the deployers:
      a) ISecurityManagement instance - this is just a interface to obtain the SecurityManager(AuthenticationManager,AuthorizationManager,AuditManager etc) given a security domain. (The default implementation that will be injected will be based on JNDI. So if I say securityManagement.getAuthenticationManager, that is internally going to do a JNDI lookup).

      b) DefaultSecurityDomain - a security domain string to fall back on.

      c) SecurityContextClassName - The Container creates a security context in the thread of execution. This FQN tells which SecurityContext implementation needs to be created.
      The container after creating the SC, injects the SecurityManagement instance into the SC, such that whenever any code asks the SC for a SecurityManager, it can delegate it to the SecurityManagement instance.


      war-deployer-beans.xml
      
       <!-- The WebMetaData to service mbean deployer -->
       <bean name="WarDeployer" class="org.jboss.web.tomcat.service.deployers.Tomcat
      Deployer">
       ...
       <!-- Specify a SecurityManagement Wrapper -->
       <property name="securityManagement">
       <inject bean="JNDIBasedSecurityManagement"/>
       </property>
      
       <!-- Specify a SecurityContext FQN class name -->
       <property name="securityContextClassName">org.jboss.security.plugins.JBos
      sSecurityContext</property>
      


      Similar case exists for the EJB deployer.

        • 1. Re: Security Integration in JBAS5
          Anil Saldanha Master

          a) I am trying to move away from the old JaasSecurityManagerService way of creating a security manager. Now that I have interfaces for Authentication,Authorization,Audit,Mapping and IdentityTrust managers., I need to be able to inject these into the containers (web, ejbs). I have a consolidated interface called as ISecurityManagement which can be injected into the deployers. This ISecurityManagement implementation can get the managers from anywhere. The current implementation in AS5 gets it from JNDI (called as JNDIBasedSecurityManagement).
          - The EJB3 layer injection of ISecurityManagement is hard coded.
          http://jira.jboss.com/jira/browse/JBAS-4722

          b) Now that the SPI is relatively stable, I would like to concentrate on bug fixes for the rest of the month until AS5 Beta3. After that I can work on the modules for IdentityTrust, Role Mapping and Audit.

          • 2. Re: Security Integration in JBAS5
            Scott Stark Master

             

            "anil.saldhana@jboss.com" wrote:
            I want to jot down the current effort at integrating security into AS5.

            At the container level (web/ejb), I am injecting 3 things via the deployers:
            a) ISecurityManagement instance - this is just a interface to obtain the SecurityManager(AuthenticationManager,AuthorizationManager,AuditManager etc) given a security domain. (The default implementation that will be injected will be based on JNDI. So if I say securityManagement.getAuthenticationManager, that is internally going to do a JNDI lookup).

            The only code that should be doing a jndi lookup is integration code that handles the dependency injection on the deployer. As part of the metadata unification, generic jndi dependences should be producing a generic version of the org.jboss.ejb3.dependencyJndiDemandMetaData/JndiDemandDependencyItem I added for a jndi based injection issue.


            • 3. Re: Security Integration in JBAS5
              Scott Stark Master

               

              "anil.saldhana@jboss.com" wrote:

              c) SecurityContextClassName - The Container creates a security context in the thread of execution. This FQN tells which SecurityContext implementation needs to be created.
              The container after creating the SC, injects the SecurityManagement instance into the SC, such that whenever any code asks the SC for a SecurityManager, it can delegate it to the SecurityManagement instance.


              war-deployer-beans.xml
              
               <!-- The WebMetaData to service mbean deployer -->
               <bean name="WarDeployer" class="org.jboss.web.tomcat.service.deployers.Tomcat
              Deployer">
               ...
               <!-- Specify a SecurityManagement Wrapper -->
               <property name="securityManagement">
               <inject bean="JNDIBasedSecurityManagement"/>
               </property>
              
               <!-- Specify a SecurityContext FQN class name -->
               <property name="securityContextClassName">org.jboss.security.plugins.JBos
              sSecurityContext</property>
              


              Similar case exists for the EJB deployer.

              Ultimately this should be outside of the deployer in the security interceptor configuration. Configs like the ejb3-interceptors-aop.xml should be injecting the Security related beans that are defined in the security-deployer-beans.xml or similar. I don't see these properties in the current TomcatDeployer. Is this checked in?


              • 4. Re: Security Integration in JBAS5
                Anil Saldanha Master

                 

                 org.jboss.web.tomcat.service.deployers.TomcatDeployer
                 /** The JBoss Security Manager Wrapper */
                 private ISecurityManagement securityManagement;
                 /** FQN of the SecurityContext Class */
                 private String securityContextClassName;