[jboss-as7-dev] Security Domain Config: JASPI vs Classic?
Bill Burke
bburke at redhat.com
Tue Oct 4 11:11:18 EDT 2011
On 10/4/11 10:52 AM, Darran Lofthouse wrote:
> For the loading of additional identity information for the authenticated
> user such as role information I believe JAAS still has a place and JAAS
> as a complete authentication approach works with mechanisms such as
> Plain where we have a password we want to validate but I also agree we
> have moved beyond the point where we can assume we always have
> everything in the incoming request to pass to JAAS to verify in isolation.
>
What Java EE SPI is there for authorization? Is there even one? In
looking at our code, it just looks we just decided that our LoginModules
are responsible for adding role information.
In the architecture I proposed, we just had another callback interface:
public interface RoleSetCallback {
Principal getPrincipal();
Set<Group> getRoleSet();
void setRoleSet(Set<Group> set);
}
And a handler can decide whether or not it supports that interface.
Another interface we could add for AuthModules is a required callbacks
method:
interface RequiredCallbackInterfaces {
Class<? extends Callback> getRequiredInterfaces();
}
Then we could do some checking at deployment time to catch the case
where an AuthModule needs a callback interface that isn't provided by
the security domain.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the jboss-as7-dev
mailing list