a) I am trying to move away from the old JaasSecurityManagerService way of creating a security manager. Now that I have interfaces for Authentication,Authorization,Audit,Mapping and IdentityTrust managers., I need to be able to inject these into the containers (web, ejbs). I have a consolidated interface called as ISecurityManagement which can be injected into the deployers. This ISecurityManagement implementation can get the managers from anywhere. The current implementation in AS5 gets it from JNDI (called as JNDIBasedSecurityManagement).
- The EJB3 layer injection of ISecurityManagement is hard coded.
b) Now that the SPI is relatively stable, I would like to concentrate on bug fixes for the rest of the month until AS5 Beta3. After that I can work on the modules for IdentityTrust, Role Mapping and Audit.
I want to jot down the current effort at integrating security into AS5.
At the container level (web/ejb), I am injecting 3 things via the deployers:
a) ISecurityManagement instance - this is just a interface to obtain the SecurityManager(AuthenticationManager,AuthorizationManager,AuditManager etc) given a security domain. (The default implementation that will be injected will be based on JNDI. So if I say securityManagement.getAuthenticationManager, that is internally going to do a JNDI lookup).
The only code that should be doing a jndi lookup is integration code that handles the dependency injection on the deployer. As part of the metadata unification, generic jndi dependences should be producing a generic version of the org.jboss.ejb3.dependencyJndiDemandMetaData/JndiDemandDependencyItem I added for a jndi based injection issue.
c) SecurityContextClassName - The Container creates a security context in the thread of execution. This FQN tells which SecurityContext implementation needs to be created.
The container after creating the SC, injects the SecurityManagement instance into the SC, such that whenever any code asks the SC for a SecurityManager, it can delegate it to the SecurityManagement instance.
war-deployer-beans.xml <!-- The WebMetaData to service mbean deployer --> <bean name="WarDeployer" class="org.jboss.web.tomcat.service.deployers.Tomcat Deployer"> ... <!-- Specify a SecurityManagement Wrapper --> <property name="securityManagement"> <inject bean="JNDIBasedSecurityManagement"/> </property> <!-- Specify a SecurityContext FQN class name --> <property name="securityContextClassName">org.jboss.security.plugins.JBos sSecurityContext</property>
Similar case exists for the EJB deployer.
Ultimately this should be outside of the deployer in the security interceptor configuration. Configs like the ejb3-interceptors-aop.xml should be injecting the Security related beans that are defined in the security-deployer-beans.xml or similar. I don't see these properties in the current TomcatDeployer. Is this checked in?
org.jboss.web.tomcat.service.deployers.TomcatDeployer /** The JBoss Security Manager Wrapper */ private ISecurityManagement securityManagement; /** FQN of the SecurityContext Class */ private String securityContextClassName;