[jboss-dev-forums] [Design of Security on JBoss] - Re: SecurityContext
anil.saldhana@jboss.com
do-not-reply at jboss.com
Mon Oct 23 15:10:45 EDT 2006
An issue that I have noticed with Security Context with reference to RoleMapping is:
If we have multiple deployments (A.war,b-ejb.jar,C.war etc) all driven by the same security domain and since the SecurityContext works at the domain level, we can have an issue if the user configures a custom role mapping module for a particular deployment (say, A.war).
So the user may want a subset of roles applicable to deployment A whereas for the other deployments, a superset (or a different set of roles can apply).
Unless we do a fresh creation of security context roles for each lookup of roles, there can be issues(cached roles in the context)
Workaround:
a) Provide a system property that is jbosssx specific that configures whether the Authorization Manager does a fresh set of security context roles (read the subject roles if any and apply mapping) on each look up OR
b) Provide options on the Authorization Manager Service to be provided to each of the Authorization Managers possible.
I like b)
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3980152#3980152
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3980152
More information about the jboss-dev-forums
mailing list