[jboss-as7-dev] Security Domain Config: JASPI vs Classic?
Bill Burke
bburke at redhat.com
Tue Oct 4 11:16:28 EDT 2011
On 10/4/11 10:57 AM, Darran Lofthouse wrote:
>
>
> On 10/04/2011 03:44 PM, Bill Burke wrote:
>>
>> Then, your web.xml could look like this:
>>
>> <login-config>
>> <auth-method>JBOSS</auth-method>
>> <realm-name>jmx-console</realm-name>
>> </login-config>
>>
>> And you don't have to do any real configuration from an application
>> perspective if there are already built in security domains that support
>> what you want to do.
>>
>
> I have a similar issue to some of your concerns to solve for JBoss
> Remoting and inserting the 'Authenticator' during deployment has been
> suggested - if we pick out the<realm-name> specified here an
> authenticator based on the capabilities of the realm can be inserted
> although you may still want app specific config when deciding between
> say BASIC and FORM auth.
So, it could also be:
<login-config>
<auth-method>Basic</auth-method>
<realm-name>jmx-console</realm-name>
</login-config>
Then, we write a AuthModule that looks at the HttpServletRequest's
authtype, and decides what to delegate to.
So, maybe instead of a JBOSS auth-method, it could be a DEFAULT
auth-method. That way a security domain can provide a default mechanism
for web security, and allow the user to override this default within
web.xml.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the jboss-as7-dev
mailing list