Re: [jboss-as7-dev] Security Domain Config: JASPI vs Classic?
On 10/7/11 12:18 AM, Anil Saldhana wrote:
Jaas framework was created before EE adopted it. It is supposed to be
a
stateless model.
CBH are stateful. The authentication cache in the JBoss security
subsystem caches entries at the security domain level. There is no need
to go to the jaas framework every time you need to authenticate an user.
If the cache is missed, that is when you invoke the stateless jaas
framework with a stateful cbh. After successful auth, cache is updated.
Again, this can be a *BAD* thing. Cache decisions can and should be a
property of the underlying store. An example is an HTTP-based IDP which
uses Cache-Control semantics to specify cache policies for an identity.
This is all besides the fact...The current model of JAAS modules isn't
very flexible and has lead to a lot of bad design decisions. IMO at least.
Why would I cache a properties data? Each time I want to add an user
to
the props file, I have to bounce the server? Also in regular usage of
JBoss apps, we do not recommend the users/roles props security.
What are you talking about? This is an implementation detail of the
storage mechanism and really has nothing to do with the problems of the
current API/SPI or any new SPI that is introduced.
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com