[jboss-dev-forums] [Design of Security on JBoss] - Re: Security Injection in AS5

Wed Mar 12 16:12:47 EDT 2008

"anil.saldhana at jboss.com" wrote : this design thread is to discuss Adrian's subtask for me to tidy up some of the security injection in AS5.
  | http://jira.jboss.com/jira/browse/JBAS-5309
  | 
  | Adrian: There's no real way to depend upon a specific login module, you have to depend on the XMLLoginConfig
  | 
  | The dependency cannot be on a single login module. XMLLoginConfig just establishes the configuration needed for the modules. 
  | 

I'm saying there should be. 

The first pass would be to make the SecurityDomain injectable
by "hiding" all the wiring inside your own mc dependency.

This would translate to the dependency is only satisfied
when the login module repository has a "jbossmq" login module
and the value returned is the security domain once it is satisifed

Internally, this could use the current mechanism of looking up java:/jaas/name
or it could be more optimised (more optimised is preferred since the
jndi lookup doesn't provide a way to be notified of undeployment).

  | <bean name="Whatever" ...>
  |    <property name="securityDomain"><security-domain-ref xmlns="urn:jboss-security-beans:1.0" name="jbossmq"/></property>
  | ...
  | 

The second pass would be to make security domains deployable inside the MC
by writing a BeanMetaDataFactory

This would be similar to above, except now you can deploy the login modules
inside MC configuration

  | bean name="Whatever" ...>
  |    <property name="securityDomain><inject name="jbossmq" property="securityDomain"/></property>
  | </bean>
  | 
  | <login-module xmlns="urn:jboss-security-beans:1.0" name="jbossmq">
  |        <authentication>
  |           <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
  |              flag = "required">
  |              <module-option name = "unauthenticatedIdentity">guest</module-option>
  |              <module-option name = "dsJndiName">java:/DefaultDS</module-option>
  |              <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
  |              <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
  |           </login-module>
  |        </authentication>
  | </login-module>
  | 

The real solution (longer term) is to get the secuity aspect to "automagically"
inject it from the "metadata repository" (such a mechansim
doesn't really exist in AOP yet so this is asperational :-).

e.g. something like (the annotations are not real, just for discussion purposes)

  | @AspectFactory("SecurityAspect" scope=Scope.PER_INSTANCE)
  | public class SecurityAspect
  | {
  |     public SecurityAspect(
  |         @Inject(fromMetaData=true)
  |         SecurityDomain securityDomain
  |     ) { ... }
  | }
  | 

The later (which doesn't exist) would mean that when AOP injects the
parameter into the constructor method, it uses
MetaData.getMetaData(SecurityDomain.class) as the parameter
which could come from any of the scopes 
e.g. instance - the ejb, 
or deployment - the ear config
server - a server wide default piece of metadata

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4136107#4136107

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4136107