[jboss-as7-dev] Security Domain Config: JASPI vs Classic?
Darran Lofthouse
darran.lofthouse at jboss.com
Tue Oct 4 11:22:08 EDT 2011
On 10/04/2011 04:11 PM, Bill Burke wrote:
>
>
> On 10/4/11 10:52 AM, Darran Lofthouse wrote:
>> For the loading of additional identity information for the authenticated
>> user such as role information I believe JAAS still has a place and JAAS
>> as a complete authentication approach works with mechanisms such as
>> Plain where we have a password we want to validate but I also agree we
>> have moved beyond the point where we can assume we always have
>> everything in the incoming request to pass to JAAS to verify in isolation.
>>
>
> What Java EE SPI is there for authorization? Is there even one? In
> looking at our code, it just looks we just decided that our LoginModules
> are responsible for adding role information.
>
> In the architecture I proposed, we just had another callback interface:
For me the bigger problem I have encountered is on the authentication
side rather than the loading the additional identity side but I see
where you are coming from.
I think one requirement will be backwards compatibility where users have
invested in using LoginModules - but I suppose we could always supply
handler implementations ourselves to delegate to JAAS definitions where
those are still needed.
> public interface RoleSetCallback {
>
> Principal getPrincipal();
> Set<Group> getRoleSet();
> void setRoleSet(Set<Group> set);
> }
>
> And a handler can decide whether or not it supports that interface.
>
> Another interface we could add for AuthModules is a required callbacks
> method:
>
> interface RequiredCallbackInterfaces {
>
> Class<? extends Callback> getRequiredInterfaces();
>
> }
>
> Then we could do some checking at deployment time to catch the case
> where an AuthModule needs a callback interface that isn't provided by
> the security domain.
>
>
More information about the jboss-as7-dev
mailing list