[jboss-as7-dev] Security Domain Config: JASPI vs Classic?
Stefan Guilhen
sguilhen at redhat.com
Mon Oct 3 10:10:13 EDT 2011
Anil has created the original jaspi configuration, so he can provide
further details in case I miss anything here.
The JASPI config consists of two sections: one identifies the module
that is capable of handling the request message and extract security
attributes from this message, and one section that identifies the set of
modules that will handle the JAAS authentication once the attributes
have been obtained.
An example of the former is the HTTPBasicServerAuthModule - this module
gets the HTTPServletRequest from the MessageInfo and searches for the
username and password in the proper HTTP headers. Once this data is
retrieved, this module delegates the real authentication to the set of
modules that have been configured in the login-module-stack. Something
like this:
<authentication-jaspi>
<login-module-stack name="myConfig">
<login-module name="UsersRoles"....>
..
</login-module>
</login-module-stack>
<auth-module code="org.jboss....HTTPBasicServerAuthModule"
login-module-stack-ref="myConfig"/>
</authentication-jaspi>
In a sense the login-module-stack is just a wrapper with a name for a
set of modules and we surely could have it for the classic
authentication modules too, but I think this would just unnecessarily
add an extra element to every security domain config.
On 10/03/2011 10:43 AM, Marcus Moyses wrote:
> Do you plan to make those attributes optional or mandatory? I guess if
> they were optional there would be no problem to merge the
> configurations. Making them required would add some confusion to
> customers I guess.
> Anyway, Stefan implemented the JASPI integration last week and was about
> to send a pull request so you might want to check with him so your
> commits don't conflict.
>
> On 10/03/2011 02:28 AM, Jason T. Greene wrote:
>> Right now the security domain configuration has separate sections for
>> JASPI and Classic/Basic authentication. The only difference seems to
>> be that JASPI authentication requires an additional name field per
>> module, and JASPI authorization requires an additional login-module
>> reference. So essentially its a superset.
>>
>> Is there a reason we would not want to just switch to the JASPI style
>> of specification, and eliminate the classic style. A name per login
>> module seems useful anyway.
More information about the jboss-as7-dev
mailing list