[
http://jira.jboss.com/jira/browse/JBAS-5096?page=all ]
Anil Saldhana updated JBAS-5096:
--------------------------------
Summary: Separate Security Domains with Virtual Hosts (was: Security
Association with Virtual Hosts)
Fix Version/s: JBossAS-5.0.0.GA
Actually asking for separate security domains for tomcat virtual hosts.
Separate Security Domains with Virtual Hosts
--------------------------------------------
Key: JBAS-5096
URL:
http://jira.jboss.com/jira/browse/JBAS-5096
Project: JBoss Application Server
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: Web (Tomcat) service
Affects Versions: JBossAS-4.2.2.GA
Reporter: Andrew Oliver
Assigned To: Anil Saldhana
Fix For: JBossAS-5.0.0.GA
At present jboss-web takes one security-domain and potentially many virtual-host
configurations such that one webapp is deployed to many virtual hosts with the same
security domain. For websites with multiple regions, it often makes sense to use DIFFERENT
security domains for each virtual host.
Today we can have only
jboss-web
security-association
virtual-host
Ideally we could have
jboss-web
virtual-host
security-association
virtual-host
security-association
Or:
jboss-web
security-association
virtual-host
security-association
virtual-host
security-association
where the virtual host security-associations would override the parent.
In tomcat/src/main/org/jboss/web/tomcat/service/TomcatDeployer.xml the
performDeployInternal happens ALREADY for each hostname. At present it uses ONE
SecurityAssociationValve for all virtual hosts and the securityassociationvalve is
configured with the metaData.getSecurityDomain(). This could instead be a seperate
SecurityAssociationValve for each host with the securitydomain as an argument (used to
flush the authentication cache). Elsewhere, the ENC/security/security-domain is used. This
instead could be the ENC/security/vhost/security-domain or securityMgr (they ultimately
are the same thing in server/src/main/org/jboss/web/AbstractWebDeployer).
The trickiest piece isn't the server code, this would require some refactoring but
doing the descriptor in an adequate but backward compatible way.
<virtual-host>hostname</virtual-host> becomes
<virtual-host>xxx</virtual-host><security-domain>domain</security-domain>
or something like that. Ideally it would be
<virtual-host>xxx<security-domain>xxx</security-domain></virtual-host>
for clarity.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira