Re: [jboss-as7-dev] Security Domain Config: JASPI vs Classic?
On 10/04/2011 04:11 PM, Bill Burke wrote:
On 10/4/11 10:52 AM, Darran Lofthouse wrote:
> For the loading of additional identity information for the authenticated
> user such as role information I believe JAAS still has a place and JAAS
> as a complete authentication approach works with mechanisms such as
> Plain where we have a password we want to validate but I also agree we
> have moved beyond the point where we can assume we always have
> everything in the incoming request to pass to JAAS to verify in isolation.
>
What Java EE SPI is there for authorization? Is there even one? In
looking at our code, it just looks we just decided that our LoginModules
are responsible for adding role information.
In the architecture I proposed, we just had another callback interface:
For me the bigger problem I have encountered is on the authentication
side rather than the loading the additional identity side but I see
where you are coming from.
I think one requirement will be backwards compatibility where users have
invested in using LoginModules - but I suppose we could always supply
handler implementations ourselves to delegate to JAAS definitions where
those are still needed.
public interface RoleSetCallback {
Principal getPrincipal();
Set<Group> getRoleSet();
void setRoleSet(Set<Group> set);
}
And a handler can decide whether or not it supports that interface.
Another interface we could add for AuthModules is a required callbacks
method:
interface RequiredCallbackInterfaces {
Class<? extends Callback> getRequiredInterfaces();
}
Then we could do some checking at deployment time to catch the case
where an AuthModule needs a callback interface that isn't provided by
the security domain.