<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
<table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
<h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
<!-- To have a header image/logo replace the name below with your img tag -->
<!-- Email clients will render the images when the message is read so any image -->
<!-- must be made available on a public server, so that all recipients can load the image. -->
<a href="http://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
Re: AS7: Web Security - JBossWebRealm
</h3>
<span style="margin-bottom: 10px;">
created by <a href="http://community.jboss.org/people/anil.saldhana%40jboss.com">Anil Saldhana</a> in <i>PicketBox Development</i> - <a href="http://community.jboss.org/message/580887#580887">View the full discussion</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><p>==================</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:16:26 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: I need a generic classloader where I can set infinite set of delegate CLs (which will be module CLs)</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:16:57 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>===</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:17:00 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>(10:13:54 AM) <span style="font-size: 12pt;">anil: marcus: maybe we can have a generic classloader with two delegates</span></p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:17:00 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span><span style="font-size: 12pt;">(10:14:07 AM) anil: marcus: in our integration code (web, ejb etc) we can just use that generic CL</span></p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:17:00 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span><span style="font-size: 12pt;">(10:14:25 AM) anil: marcus: GenCL( Pbox, WebCL)</span></p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:17:00 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span><span style="font-size: 12pt;">(10:14:34 AM) anil: marcus: GenCL( Pbox, EJBCL)</span></p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:17:01 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>========</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:17:01 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>easy, use a module with a fallback local loader :)0</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:17:33 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>though I think there's probably a better solution to whatever problem you have</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:17:44 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: that is why I am asking u. <span> :) </span></p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:18:06 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: I think we have the security module (pbox).  But we also need to get hold of the integration layer CL </p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:18:15 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: such as web, ejb etc.</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:18:17 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>what's the use case?</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:19:02 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: the use case is this way.  The web cl may have artifacts (properties files etc) needed to make security decisions.  But the security subsystem will need the pbox module loader to load things such as security login modules.</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:19:30 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>from what context?</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:19:46 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: ?</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:19:56 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>is this happening during a servlet request?</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:20:12 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: web security check</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:20:13 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>or an EJB call?</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:20:22 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: ejb security check</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:20:34 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>ok during both of those cases, we have a TCCL of the deployment class loader right?</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:20:39 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: we use the TCCl inside to load resources if possible</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:21:15 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: the depl cl does not have the Pbox loader associated</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:21:25 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>if you know where a resource is coming from, you can choose: TCCL for the deployment, the PB module CL for PB resources, other module CLs for module-specific resources</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:21:58 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: when I send a check into the security subsystem,  I need all of those</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:22:26 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>if not, then you *may* define a module which delegates to the deployment plus any additional CLs you have (we call this an "aggregator" module), but it should only be a last resort</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:22:54 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>for example, you should never define system-wide resources by what you find in a deployment</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:23:15 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: I may be looking for resources under WEB-INF/classes</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:23:23 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: that is part of the servlet cl</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:24:00 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: as an user, I may write a LM that looks for resources on tccl.</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:24:10 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: I dont write the LM with web apps in mind</p><p><span style="color: #4bdc52; font-size: 10pt; font-weight: normal;">(10:26:12 AM) </span><span style="font-weight: normal; color: #4bdc52;">wolfc: </span>dmlloyd, I've rewritten the commits <a class="jive-link-external-small" href="https://github.com/wolfc/invocation-api/commits/wolfc">https://github.com/wolfc/invocation-api/commits/wolfc</a></p><p><span style="color: #4bdc52; font-size: 10pt; font-weight: normal;">(10:26:50 AM) </span><span style="font-weight: normal; color: #4bdc52;">wolfc: </span>I actually expected the rebase to take the last commit time of commits squashed together</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:29:37 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>asoldano: <a class="jive-link-external-small" href="http://github.com/dmlloyd/jboss-modules/commit/fc36308">http://github.com/dmlloyd/jboss-modules/commit/fc36308</a></p><p><span style="color: #1825af; font-size: 10pt; font-weight: normal;">(10:29:38 AM) </span><span style="font-weight: normal; color: #1825af;">jbossbot: </span><strong>git</strong> [<span style="font-size: 12pt;"><span>jboss-modules</span>]<span style="color: orange;"> fc36308..</span> <span style="color: purple;">David M. Lloyd</span> Document out the module.xml schema, fix problems in the module ID validation</span></p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:29:49 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span><span> :) </span></p><p><span style="color: #af7f00; font-size: 10pt; font-weight: normal;">(10:30:19 AM) </span><span style="font-weight: bold; color: #af7f00;">dmlloyd: </span>asaldhan: well I think we have a couple options at our disposal.  Let me know when you guys want to start coding it up and we'll walk through a first cut</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:30:51 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: I am ready and willing.</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:30:53 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: I do</p><p><span style="font-size: 10pt; font-weight: normal;">(10:33:50 AM) </span><strong style="font-size: 12pt;">kkhan left the room (quit: Quit: kkhan).</strong></p><p><span style="color: #af7f00; font-size: 10pt; font-weight: normal;">(10:34:02 AM) </span><span style="font-weight: bold; color: #af7f00;">dmlloyd: </span>asaldhan: ok so what we're really talking about is setting a new TCCL while LMs do their thing, right?</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:34:22 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: right.</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:34:46 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: and the tccl is very short in lifetime</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:34:47 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>are we the ones instantiating the LM or does the user create and use it without our intervention?</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:34:51 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: just the security check</p><p><span style="color: #591f51; font-size: 10pt; font-weight: normal;">(10:35:32 AM) </span><span style="font-weight: normal; color: #591f51;">asoldano: </span>dmlloyd, thanks, reading it</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:35:33 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: the path is this:    web layer ->  web sec layer --> picketbox  -> jaas  -> class.forName(LM)  ->  scan </p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:35:47 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>ok, excellent, so we have control of that code path</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:35:54 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: scan maybe looking for tccl resources</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:36:10 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: I dont want to do any tccl business in PBox and beyond</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:36:17 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: I want it set before PBox</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:36:33 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: the same happens in EJB too</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:37:26 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>so what we could do is create an aggregator module which includes the deployment plus picketbox and whatever else you want included and use that module CL as the TCCL during JAAS activities</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:37:56 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: that can work</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:38:21 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: do u have aggregator module examples?</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:38:38 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>only static module.xml ones.</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:38:45 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>the way we have to do this is different though.</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:39:01 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>we need a deployer phase which constructs it and attaches it to the deployment unit.</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:39:18 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>there is only one place in code that builds a module right now...</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:40:08 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: ok got that.</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:40:24 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: let me discuss the other option. tell me what the -ves are</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:40:49 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: I have a TwoDelegateCL that I am going to set and throwaway for just one security check.  I set whatever CL delegates I want.</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:41:17 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: what can go wrong?</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:41:26 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>sure, just have to beware of deadlocks.</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:41:36 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>and there may be additional cost to constructing CLs, not sure</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:42:07 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>if you run into problems, just change your CL to extend ConcurrentClassLoader instead (from jboss-modules).</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:42:29 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>it takes care of some of the deadlock issues you can get with delegating CLs.</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:43:31 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: I suggested a generic delegating CL because multiple modules (web, ejb etc) have security checks</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:44:20 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>right, but really you only need one per deployment</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:44:30 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>it would just delegate to the deployment + PB really</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:44:49 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: does the war deployment CL follow servlet spec CLoading?</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:44:51 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>alternatively we could simply just add PB to all deployments implicitly <span> :) </span></p><p><span style="color: #af7f00; font-size: 10pt; font-weight: normal;">(10:45:03 AM) </span><span style="font-weight: bold; color: #af7f00;">dmlloyd: </span>yeah, asaldhan, but that shouldn't affect your delegate impl</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:45:19 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>all that affects is the ordering of dependencies in that particular module</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:45:34 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: the reason I asked  is  I dont want user to seek  TCCL.getResource("/WEB-INF/classes/xyz")  he seeks xyz</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:45:45 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>right</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:46:00 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>they won't have to do that regardless</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:46:31 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: cool.  regarding implicit addition of the PB module.  if we can do it just the main subsystems, that would work.  web, ejb, jca etc</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:46:35 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: that need sec checks</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:47:03 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>sure. that's pretty easy, just add a processor in Phase.DEPENDENCIES</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:47:32 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: give me an example of where this is done.  any subsystem?</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:47:35 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>add PB to Attachments.MODULE_DEPENDENCIES on the deployment unit</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:47:41 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>for an example, see...</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:47:59 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>org.jboss.as.managedbean.processors.ManagedBeanDependencyProcessor#deploy()</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:48:03 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>that's a pretty clean sample.</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:48:11 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>pretty much any of baileyje's code makes for good examples.</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:48:16 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: cool </p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:48:29 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>the relevant stuff is at the end of that method</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:48:34 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>you don't need any of the resource roots crap</p><p><span style="font-size: 10pt; font-weight: normal;">(10:53:00 AM) </span><strong style="font-size: 12pt;">pmuir left the room (quit: Quit: Leaving).</strong></p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:53:08 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: with a deployment unit, can I know what type it is?  web, ejb etc?</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:53:19 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: or do I have check the suffix or something</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:54:32 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>yeah different deployment types have different "markers"</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:54:44 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>what I recommend though is adding your own attachment type</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:54:58 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>it would be something like SECURITY_DEPLOYMENT, with a type of Boolean</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:55:00 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: cool.  I think baileyje's code is self-explanatory</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:55:22 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>then in each deployer which identifies a deployment type (i.e. war, ejb, whatever) you can add that attachment too</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:55:30 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>that'll tell your processor to add the dependency</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:55:41 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: got it. an optimization would be if there are no sec stuff in the war, dont add sec deps in any way</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:55:58 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>right, the war deployer can make that call</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:56:11 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>also if there are new types that you did not anticipate, they can add the marker as well</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:56:21 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: right.</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:57:20 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: historically, we have had security deployers happening before the web, ejb deployers</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:57:51 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: so the war deployers will probably remove the attachments if there is no sec needed.</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:57:57 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: based on deployment metadata</p><p><span style="color: #73d216; font-size: 10pt; font-weight: normal;">(10:58:14 AM) </span><span style="font-weight: normal; color: #73d216;">dmlloyd: </span>sure, it can happen in whatever order makes the most sense.</p><p><span style="color: #204a87; font-size: 10pt; font-weight: normal;">(10:58:38 AM) </span><span style="font-weight: bold; color: #204a87;">asaldhan: </span>dmlloyd: got it.  Thanks for the discussion.... I am going to copy/paste the discussion into that forum thread on web sec.</p><p>==========================</p></div>
<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">
<p style="margin: 0;">Reply to this message by <a href="http://community.jboss.org/message/580887#580887">going to Community</a></p>
<p style="margin: 0;">Start a new discussion in PicketBox Development at <a href="http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2088">Community</a></p>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>