[jboss-dev-forums] [Design of JBoss/Tomcat Integration] - Make VirtualHosts use different SecurityDomains

acoliver@jboss.org do-not-reply at jboss.com
Thu Dec 20 13:17:02 EST 2007 

At present jboss-web takes one security-domain and potentially many virtual-host configurations such that one webapp is deployed to many virtual hosts with the same security domain.  For websites with multiple regions, it often makes sense to use DIFFERENT security domains for each virtual host.

Today we can have only

jboss-web
  security-association
  virtual-host

Ideally we could have

jboss-web
    virtual-host
         security-association
    virtual-host
         security-association

Or:

jboss-web
    security-association
    virtual-host
         security-association
    virtual-host
         security-association

where the virtual host security-associations would override the parent.

In tomcat/src/main/org/jboss/web/tomcat/service/TomcatDeployer.xml the  performDeployInternal happens ALREADY for each hostname.  At present it uses ONE SecurityAssociationValve for all virtual hosts and the securityassociationvalve is configured with the metaData.getSecurityDomain().  This could instead be a seperate SecurityAssociationValve for each host with the securitydomain as an argument (used to flush the authentication cache).  Elsewhere, the ENC/security/security-domain is used.  This instead could be the ENC/security/vhost/security-domain or securityMgr (they ultimately are the same thing in server/src/main/org/jboss/web/AbstractWebDeployer).  

The trickiest piece isn't the server code, this would require some refactoring but doing the descriptor in an adequate but backward compatible way. <virtual-host>hostname</virtual-host> becomes <virtual-host>xxx</virtual-host><security-domain>domain</security-domain> or something like that.  Ideally it would be <virtual-host>xxx<security-domain>xxx</security-domain></virtual-host> for clarity.

Thoughts?  (Sh/C)ould this be done?  Accepted if done by someone else?  If so could it make the 4.2 branch or possibly somewhere in 5 + 4.2 backport?

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4114751#4114751

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4114751

More information about the jboss-dev-forums mailing list