[jboss-dev] pluggable auth-method

[Bill Burke]

Just guessing,

Isn't the login module responsible for the actual authentication and 
authorization?  Tomcat authenticator is just responsible for extracting 
header info?

Sergey Beryozkin wrote:
> Hi
> 
>> You can achieve by writing a tomcat authenticator and putting it in 
>> WEB-INF/context.xml (JBAS) or META-INF/context.xml (tomcat).
>>
>> The auth-name is a string defined in the servlet spec.
>>
> 
> thanks for the tip.
> 
> What is the difference between writing a custom Tomcat authenticator and a custom LoginModule, example,
> org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSLoginModule ?
> 
> My understanding is that having custom login modules :
>  - makes it easy to stack together different modules, as shown for ex at [1]
>  - but requires the explicit loading of (JBoss Security) AuthenticationManager (at least when services are POJOs)
> 
> cheers, Sergey 
> 
> [1] http://community.jboss.org/wiki/SAMLEJBIntegrationwithPicketLinkSTS
>  
> 
>> On 07/13/2010 11:35 AM, Bill Burke wrote:
>>> Remy, Anil,
>>>
>>> (I'm cc'ing jboss-dev for archive purposes)
>>>
>>> Sergey , a new web services/resteasy hire, has done some great work
>>> around OAuth lately.  I'm interested in taking his stuff to the next
>>> level and make it consumable in a way JBoss AS users are used to 
>>> configuring security.
>>>
>>> Specifically, I'm interested in defining a OAuth 
>>> login-config/auth-method within web.xml i.e.
>>>
>>> <login-config>
>>> <auth-name>OAuth</auth-name>
>>> <realm-name>...</realm-name>
>>> </login-config>
>>>
>>> This would be an initial step, eventually I'd like to be able to 
>>> configure a web app to support multiple authentication mechanisms,
>> so 
>>> that one URL could support both OAuth and traditional clients.
>>>
>>> Is JSR 196 the way to do this?  Do we support in AS6?  Is there doco
>>> someplace?  (I couldn't find with a search).
>>>
>>> Thanks,
>>>
>>> Bill

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com