Darran Lofthouse [
http://community.jboss.org/people/darran.lofthouse%40jboss.com] created
the discussion
"Re: AS7 : Authentication and Authorization"
To view the discussion, visit:
http://community.jboss.org/message/582748#582748
--------------------------------------------------------------
I have also thought for a while that this area needs an overhaul, I think the pattern
imposed by the UsernamePasswordLoginModule really complicates writing login modules that
can have the pure authentiction step handled by one module and the Principal association
handled by the other modules.
Also when discussing these modules I think it is probably best not to discuss them as
handling authorization, that is something that happens outside of the authentication
process when the modules are called, the modules populate the Principals in the Subject
that can be used for authorization but the actualy authorization is seperate.
When writing some of the modules within JBoss Negotiation I had to make some decisions
regarding chaining or extending that may have some bearing on your work here: -
* Connection Sharing
* Pre-authentication queries
So for the connection sharing a number of modules establish a connection to something
remote such as an LDAP server or a database, the current modules use the same connection
for the pure authentication and the subsequent loading of roles - a subsequent switch to
split modules could benefit also from a mechanism to share these connections whilst taking
into account issues such as ensuring no leaks.
For the second issue with pre-authentication queries I found myself that in the case of
having an LDAP login module chained after another module that had perfomed the
authentication the LDAP module still needed to perform almost the same set of queries to
identify the user before the roles searching could begin - in the end for the
AdvancedLdapLoginModule in JBoss Negotiation when chained the only thing actually skipped
was the password verification the remaining 99% of code was still called as if it was not
chained.
--------------------------------------------------------------
Reply to this message by going to Community
[
http://community.jboss.org/message/582748#582748]
Start a new discussion in PicketBox Development at Community
[
http://community.jboss.org/choose-container!input.jspa?contentType=1&...]