[jboss-dev-forums] [Design of Security on JBoss] - Re: Security Injection in AS5

sguilhen@redhat.com do-not-reply at jboss.com
Fri Apr 25 14:18:58 EDT 2008 

Yes, I can.

What I want to achieve is what Adrian suggested in his first post in this thread:

anonymous wrote : 
  | make security domains deployable inside the MC by writing a BeanMetaDataFactory
  | 


  | <bean name="Whatever" ...>
  |    <property name="securityDomain><inject name="jbossmq" property="securityDomain"/></property>
  | </bean>
  | 
  | <application-policy xmlns="urn:jboss-security-beans:1.0" name="jbossmq">
  |        <authentication>
  |           <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
  |              flag = "required">
  |              <module-option name = "unauthenticatedIdentity">guest</module-option>
  |              <module-option name = "dsJndiName">java:/DefaultDS</module-option>
  |              <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
  |              <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
  |           </login-module>
  |        </authentication>
  | </application-policy>
  | 

I've started by taking a look at the aop-mc integration, as AOP had to define their beans and metadata factories to make it possible to use the aop elements in the -beans.xml files.

So I've created a module, security-mc-int under the microcontainer project (not sure it should be there, just using the same approach AOP has taken), defined the beans, defined the security-beans.xsd, and started the implementation of the metadata factory.

This factory is responsible for providing the metadata that is used to create the beans from the information parsed. An example of the beans that would result from the factory follows:


  | <bean name="jbossmq" class="org.jboss.security.microcontainer.beans.ApplicationPolicyBean>
  |    <property name="authenticationPolicy"><inject bean="jbossmq$AuthPolicy"/></property>
  | </bean>
  | 
  | <bean name="jbossmq$AuthPolicy" class="org.jboss.security.microcontainer.beans.AuthenticationPolicyBean">
  |    <property name="loginModules">
  |       <list>
  |          <inject bean="jbossmq$LoginModule1"/>
  |          <inject bean="jbossmq$LoginModule2"/>
  |       </list>
  |    </property>
  | </bean>
  | 
  | <bean name="jbossmq$LoginModule1" class="org.jboss.security.microcontainer.beans.LoginModuleBean">
  |    <property name="flag">required</property>
  |    <property name="code">org.jboss.security.auth.spi.UsersRolesLoginModule</property>
  |    <property name="moduleOptions">
  |       <map keyClass="java.lang.String" valueClass="java.lang.String">
  |          <entry>
  |             <key>usersProperties</key>
  |             <value>jboss-users.properties</value>
  |          </entry>
  |          <entry>
  |             <key>rolesProperties</key>
  |             <value>jboss-roles.properties</value>
  |          </entry>
  |       </map>
  |    <property>
  | </bean>
  | 
  | <bean name="jbossmq$LoginModule2" class="org.jboss.security.microcontainer.beans.LoginModuleBean">
  |    <property name="flag">optional</property>
  |    <property name="code">org.jboss.security.auth.spi.DataBaseServerLoginModule</property>
  |    <property name="moduleOptions">
  |       <map keyClass="java.lang.String" valueClass="java.lang.String">
  |          <entry>
  |             <key>principalsQuery</key>
  |             <value>SELECT PASSWD FROM USERS WHERE USER_ID=?</value>
  |          </entry>
  |          <entry>
  |             <key>rolesQuery</key>
  |             <value>SELECT ROLE_ID, 'Roles' FROM ROLES WHERE USER_ID=?</value>
  |          </entry>
  |       </map>
  |    <property>
  | </bean>
  | 

The top-level ApplicationPolicyBean would, after being initialized, push the ApplicationPolicy to the security layer to register the new policy (along with the login modules configuration).

I still have to figure out a couple of things. First, can I add post-installation behavior to my beans just by implementing the install and uninstall methods or is it necessary to configure an aop lifecycle for that? Second, I don't expect things to magically happen just by defining the metadata factory. Somehow I must bind it to the schema being parsed (that is, somehow the MC must know which factory to use when facing an application-policy element).

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4146902#4146902

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4146902

More information about the jboss-dev-forums mailing list