[jboss-as7-dev] web security extensions
Darran Lofthouse
darran.lofthouse at jboss.com
Wed Jun 8 09:29:59 EDT 2011
On 06/08/2011 02:23 PM, Bill Burke wrote:
> I think AS7 and JBoss Web needs some cleaner integration if you want to
> define your own web security extensions to do your own custom
> authentication for instance.
>
> Right now you have to define in jboss-web.xml:
>
> <jboss-web>
> <security-domain>java:/jaas/SPNEGO</security-domain>
> <valve>
>
> <class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>
>
> </valve>
> </jboss-web>
>
>
> It would be cool if you could replace the<valve> in jboss-web.xml with
> an<auth-method> within web.xml. I think I know how this could be done
> with no modifications to JBoss-Web, but where would you put the mapping
> information? Within JBoss-web's subsystem domain model?
Yes the code to add it back in is simple it is just deciding where it
should live.
There is however a general opinion that class names should not form a
part of the domain model so a mapping of this sort would go against that.
I wonder if it could make sense as subsystems are added to the server
that they also register any authenticators that they provide so a static
definition of the mapping could be eliminated - the same could then
apply to the registration of the actual login modules if that was
handled in a similar way.
>
> Furthermore, I think it would be even cleaner if that type of config was
> ditched in favor of a URI within web.xml i.e.
>
> <login-config>
> <auth-method>BASIC:/webconsole</auth-method>
> ...
> </login-config>
>
> The above would mean BASIC authentication using the "webconsole"
> security-domain. I think it would be interesting also if JBossWeb asked
> the security domain for valves it should use/apply.
>
> i.e.
>
> <login-config>
> <auth-method>security-domain:/webconsole</auth-method>
> ...
> </login-config>
>
> In this case, JBoss Web sees "security-domain" so it looks up the
> "webconsole" security domain and asks it to set up all the appropriate
> valves that are needed to set up.
>
> In this manner, multiple web apps could use the same security domain and
> you wouldn't have to change their config if you wanted to change the
> authentication method. The security domain has complete control over
> the authentication mechanism. You could take this even further fully
> delegate security constraint application to the security domain. THis
> would be very interesting as then an Identity Management service could
> have complete control over security metadata without having to modify
> the WAR.
>
More information about the jboss-as7-dev
mailing list