[jboss-dev-forums] [Design of Security on JBoss] - Re: SecurityContext
scott.stark@jboss.org
do-not-reply at jboss.com
Tue Jan 2 19:32:17 EST 2007
Setting the security context has to be reconcilled with the security aspect behavior. If you do an explicit jaas login, all that really results is an authenticated subject. Instead of having a ClientLoginModule push this to a thread local, it could associate this info with the mc metadata repository at a request scope. The aspect checking the security context would use the metadata repository to pickup scope starting from the request and moving up to higher levels like deployment, security domain default, etc.
Alternatively we could look at Subject.doAs*()/Subject.getSubject(AccessControlContext acc) with validation of the authentication as data in the subject private credentials to better leverage the jaas apis.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3997403#3997403
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3997403
More information about the jboss-dev-forums
mailing list