[jboss-as7-dev] Security Domain Config: JASPI vs Classic?
Bill Burke
bburke at redhat.com
Fri Oct 7 10:04:48 EDT 2011
On 10/7/11 12:18 AM, Anil Saldhana wrote:
> Jaas framework was created before EE adopted it. It is supposed to be a
> stateless model.
>
> CBH are stateful. The authentication cache in the JBoss security
> subsystem caches entries at the security domain level. There is no need
> to go to the jaas framework every time you need to authenticate an user.
> If the cache is missed, that is when you invoke the stateless jaas
> framework with a stateful cbh. After successful auth, cache is updated.
>
Again, this can be a *BAD* thing. Cache decisions can and should be a
property of the underlying store. An example is an HTTP-based IDP which
uses Cache-Control semantics to specify cache policies for an identity.
This is all besides the fact...The current model of JAAS modules isn't
very flexible and has lead to a lot of bad design decisions. IMO at least.
> Why would I cache a properties data? Each time I want to add an user to
> the props file, I have to bounce the server? Also in regular usage of
> JBoss apps, we do not recommend the users/roles props security.
>
What are you talking about? This is an implementation detail of the
storage mechanism and really has nothing to do with the problems of the
current API/SPI or any new SPI that is introduced.
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the jboss-as7-dev
mailing list