[jboss-as7-dev] Security Domain Config: JASPI vs Classic?

Stefan Guilhen sguilhen at redhat.com
Mon Oct 3 10:10:13 EDT 2011 

Anil has created the original jaspi configuration, so he can provide 
further details in case I miss anything here.

The JASPI config consists of two sections: one identifies the module 
that is capable of handling the request message and extract security 
attributes from this message, and one section that identifies the set of 
modules that will handle the JAAS authentication once the attributes 
have been obtained.

An example of the former is the HTTPBasicServerAuthModule - this module 
gets the HTTPServletRequest from the MessageInfo and searches for the 
username and password in the proper HTTP headers. Once this data is 
retrieved, this module delegates the real authentication to the set of 
modules that have been configured in the login-module-stack. Something 
like this:

<authentication-jaspi>
<login-module-stack name="myConfig">
<login-module name="UsersRoles"....>
        ..
</login-module>
</login-module-stack>
<auth-module code="org.jboss....HTTPBasicServerAuthModule" 
login-module-stack-ref="myConfig"/>
</authentication-jaspi>

In a sense the login-module-stack is just a wrapper with a name for a 
set of modules and we surely could have it for the classic 
authentication modules too, but I think this would just unnecessarily 
add an extra element to every security domain config.

On 10/03/2011 10:43 AM, Marcus Moyses wrote:
> Do you plan to make those attributes optional or mandatory? I guess if
> they were optional there would be no problem to merge the
> configurations. Making them required would add some confusion to
> customers I guess.
> Anyway, Stefan implemented the JASPI integration last week and was about
> to send a pull request so you might want to check with him so your
> commits don't conflict.
>
> On 10/03/2011 02:28 AM, Jason T. Greene wrote:
>> Right now the security domain configuration has separate sections for
>> JASPI and Classic/Basic authentication. The only difference seems to
>> be that JASPI authentication requires an additional name field per
>> module, and JASPI authorization requires an additional login-module
>> reference. So essentially its a superset.
>>
>> Is there a reason we would not want to just switch to the JASPI style
>> of specification, and eliminate the classic style. A name per login
>> module seems useful anyway.

More information about the jboss-as7-dev mailing list