[jboss-as7-dev] web security extensions
Remy Maucherat
rmaucher at redhat.com
Thu Jun 9 06:24:15 EDT 2011
On Wed, 2011-06-08 at 10:29 -0400, Bill Burke wrote:
> I agree that classnames in domain model == bad. Maybe just have JBoss
> Web subsystem search for extension files within META-INF/ of jars. The
> extension files would have metadata on how to bind a new auth-method. I
> think other subsystems in AS7 work similarly.
>
> BTW, I don't get you. You just completely contradicted yourself. In
> your reply to me you said "No way, its non-portable". In your reply to
> Darren its "I thought about it, but not sure how to do it yet." Maybe I
> should ask Darren to email you whenever I have a suggestion.
Your main proposal is to put proprietary things in web.xml (to indicate
the security domain info), and it's not a good idea.
Proprietary config should go either in the domain model, or in the
per-webapp jboss-web.xml.
Since an authenticator is a valve, it can be specified in jboss-web.xml
for any user provided auth method. As a result, I did not bother trying
to fit an authenticator config in the domain model.
> Finally, what about my idea to delegate more to the security domain?
> Like what authentication mechanism to apply, what valves to apply, etc.?
> I can see where you'd want one place to be able to modify how a set of
> web apps are authenticated.
Valves can also be added by other subsystems. The security subsystem can
see that SNEPGO has been set as the auth method, and set whatever valve
it needs to implement it.
--
Remy Maucherat <rmaucher at redhat.com>
Red Hat Inc
More information about the jboss-as7-dev
mailing list