[jboss-dev-forums] [PicketBox Development] - Re: AS7: Web Security - JBossWebRealm

Anil Saldhana do-not-reply at jboss.com
Fri Jan 14 12:01:12 EST 2011 

Anil Saldhana [http://community.jboss.org/people/anil.saldhana%40jboss.com] created the discussion

"Re: AS7: Web Security - JBossWebRealm"

To view the discussion, visit: http://community.jboss.org/message/580887#580887

--------------------------------------------------------------
==================

(10:16:26 AM) asaldhan: dmlloyd: I need a generic classloader where I can set infinite set of delegate CLs (which will be module CLs)
(10:16:57 AM) asaldhan: ===
(10:17:00 AM) asaldhan: (10:13:54 AM) anil: marcus: maybe we can have a generic classloader with two delegates
(10:17:00 AM) asaldhan: (10:14:07 AM) anil: marcus: in our integration code (web, ejb etc) we can just use that generic CL
(10:17:00 AM) asaldhan: (10:14:25 AM) anil: marcus: GenCL( Pbox, WebCL)
(10:17:00 AM) asaldhan: (10:14:34 AM) anil: marcus: GenCL( Pbox, EJBCL)
(10:17:01 AM) asaldhan: ========
(10:17:01 AM) dmlloyd: easy, use a module with a fallback local loader :)0
(10:17:33 AM) dmlloyd: though I think there's probably a better solution to whatever problem you have
(10:17:44 AM) asaldhan: dmlloyd: that is why I am asking u.  :) 
(10:18:06 AM) asaldhan: dmlloyd: I think we have the security module (pbox).  But we also need to get hold of the integration layer CL 
(10:18:15 AM) asaldhan: dmlloyd: such as web, ejb etc.
(10:18:17 AM) dmlloyd: what's the use case?
(10:19:02 AM) asaldhan: dmlloyd: the use case is this way.  The web cl may have artifacts (properties files etc) needed to make security decisions.  But the security subsystem will need the pbox module loader to load things such as security login modules.
(10:19:30 AM) dmlloyd: from what context?
(10:19:46 AM) asaldhan: dmlloyd: ?
(10:19:56 AM) dmlloyd: is this happening during a servlet request?
(10:20:12 AM) asaldhan: dmlloyd: web security check
(10:20:13 AM) dmlloyd: or an EJB call?
(10:20:22 AM) asaldhan: dmlloyd: ejb security check
(10:20:34 AM) dmlloyd: ok during both of those cases, we have a TCCL of the deployment class loader right?
(10:20:39 AM) asaldhan: dmlloyd: we use the TCCl inside to load resources if possible
(10:21:15 AM) asaldhan: dmlloyd: the depl cl does not have the Pbox loader associated
(10:21:25 AM) dmlloyd: if you know where a resource is coming from, you can choose: TCCL for the deployment, the PB module CL for PB resources, other module CLs for module-specific resources
(10:21:58 AM) asaldhan: dmlloyd: when I send a check into the security subsystem,  I need all of those
(10:22:26 AM) dmlloyd: if not, then you *may* define a module which delegates to the deployment plus any additional CLs you have (we call this an "aggregator" module), but it should only be a last resort
(10:22:54 AM) dmlloyd: for example, you should never define system-wide resources by what you find in a deployment
(10:23:15 AM) asaldhan: dmlloyd: I may be looking for resources under WEB-INF/classes
(10:23:23 AM) asaldhan: dmlloyd: that is part of the servlet cl
(10:24:00 AM) asaldhan: dmlloyd: as an user, I may write a LM that looks for resources on tccl.
(10:24:10 AM) asaldhan: dmlloyd: I dont write the LM with web apps in mind
(10:26:12 AM) wolfc: dmlloyd, I've rewritten the commits  https://github.com/wolfc/invocation-api/commits/wolfc https://github.com/wolfc/invocation-api/commits/wolfc
(10:26:50 AM) wolfc: I actually expected the rebase to take the last commit time of commits squashed together
(10:29:37 AM) dmlloyd: asoldano:  http://github.com/dmlloyd/jboss-modules/commit/fc36308 http://github.com/dmlloyd/jboss-modules/commit/fc36308
(10:29:38 AM) jbossbot: *git* [jboss-modules] fc36308.. David M. Lloyd Document out the module.xml schema, fix problems in the module ID validation
(10:29:49 AM) dmlloyd:  :) 
(10:30:19 AM) dmlloyd: asaldhan: well I think we have a couple options at our disposal.  Let me know when you guys want to start coding it up and we'll walk through a first cut
(10:30:51 AM) asaldhan: dmlloyd: I am ready and willing.
(10:30:53 AM) asaldhan: dmlloyd: I do
(10:33:50 AM) *kkhan left the room (quit: Quit: kkhan).*
(10:34:02 AM) dmlloyd: asaldhan: ok so what we're really talking about is setting a new TCCL while LMs do their thing, right?
(10:34:22 AM) asaldhan: dmlloyd: right.
(10:34:46 AM) asaldhan: dmlloyd: and the tccl is very short in lifetime
(10:34:47 AM) dmlloyd: are we the ones instantiating the LM or does the user create and use it without our intervention?
(10:34:51 AM) asaldhan: dmlloyd: just the security check
(10:35:32 AM) asoldano: dmlloyd, thanks, reading it
(10:35:33 AM) asaldhan: dmlloyd: the path is this:    web layer ->  web sec layer --> picketbox  -> jaas  -> class.forName(LM)  ->  scan 
(10:35:47 AM) dmlloyd: ok, excellent, so we have control of that code path
(10:35:54 AM) asaldhan: dmlloyd: scan maybe looking for tccl resources
(10:36:10 AM) asaldhan: dmlloyd: I dont want to do any tccl business in PBox and beyond
(10:36:17 AM) asaldhan: dmlloyd: I want it set before PBox
(10:36:33 AM) asaldhan: dmlloyd: the same happens in EJB too
(10:37:26 AM) dmlloyd: so what we could do is create an aggregator module which includes the deployment plus picketbox and whatever else you want included and use that module CL as the TCCL during JAAS activities
(10:37:56 AM) asaldhan: dmlloyd: that can work
(10:38:21 AM) asaldhan: dmlloyd: do u have aggregator module examples?
(10:38:38 AM) dmlloyd: only static module.xml ones.
(10:38:45 AM) dmlloyd: the way we have to do this is different though.
(10:39:01 AM) dmlloyd: we need a deployer phase which constructs it and attaches it to the deployment unit.
(10:39:18 AM) dmlloyd: there is only one place in code that builds a module right now...
(10:40:08 AM) asaldhan: dmlloyd: ok got that.
(10:40:24 AM) asaldhan: dmlloyd: let me discuss the other option. tell me what the -ves are
(10:40:49 AM) asaldhan: dmlloyd: I have a TwoDelegateCL that I am going to set and throwaway for just one security check.  I set whatever CL delegates I want.
(10:41:17 AM) asaldhan: dmlloyd: what can go wrong?
(10:41:26 AM) dmlloyd: sure, just have to beware of deadlocks.
(10:41:36 AM) dmlloyd: and there may be additional cost to constructing CLs, not sure
(10:42:07 AM) dmlloyd: if you run into problems, just change your CL to extend ConcurrentClassLoader instead (from jboss-modules).
(10:42:29 AM) dmlloyd: it takes care of some of the deadlock issues you can get with delegating CLs.
(10:43:31 AM) asaldhan: dmlloyd: I suggested a generic delegating CL because multiple modules (web, ejb etc) have security checks
(10:44:20 AM) dmlloyd: right, but really you only need one per deployment
(10:44:30 AM) dmlloyd: it would just delegate to the deployment + PB really
(10:44:49 AM) asaldhan: dmlloyd: does the war deployment CL follow servlet spec CLoading?
(10:44:51 AM) dmlloyd: alternatively we could simply just add PB to all deployments implicitly  :) 
(10:45:03 AM) dmlloyd: yeah, asaldhan, but that shouldn't affect your delegate impl
(10:45:19 AM) dmlloyd: all that affects is the ordering of dependencies in that particular module
(10:45:34 AM) asaldhan: dmlloyd: the reason I asked  is  I dont want user to seek  TCCL.getResource("/WEB-INF/classes/xyz")  he seeks xyz
(10:45:45 AM) dmlloyd: right
(10:46:00 AM) dmlloyd: they won't have to do that regardless
(10:46:31 AM) asaldhan: dmlloyd: cool.  regarding implicit addition of the PB module.  if we can do it just the main subsystems, that would work.  web, ejb, jca etc
(10:46:35 AM) asaldhan: dmlloyd: that need sec checks
(10:47:03 AM) dmlloyd: sure. that's pretty easy, just add a processor in Phase.DEPENDENCIES
(10:47:32 AM) asaldhan: dmlloyd: give me an example of where this is done.  any subsystem?
(10:47:35 AM) dmlloyd: add PB to Attachments.MODULE_DEPENDENCIES on the deployment unit
(10:47:41 AM) dmlloyd: for an example, see...
(10:47:59 AM) dmlloyd: org.jboss.as.managedbean.processors.ManagedBeanDependencyProcessor#deploy()
(10:48:03 AM) dmlloyd: that's a pretty clean sample.
(10:48:11 AM) dmlloyd: pretty much any of baileyje's code makes for good examples.
(10:48:16 AM) asaldhan: dmlloyd: cool 
(10:48:29 AM) dmlloyd: the relevant stuff is at the end of that method
(10:48:34 AM) dmlloyd: you don't need any of the resource roots crap
(10:53:00 AM) *pmuir left the room (quit: Quit: Leaving).*
(10:53:08 AM) asaldhan: dmlloyd: with a deployment unit, can I know what type it is?  web, ejb etc?
(10:53:19 AM) asaldhan: dmlloyd: or do I have check the suffix or something
(10:54:32 AM) dmlloyd: yeah different deployment types have different "markers"
(10:54:44 AM) dmlloyd: what I recommend though is adding your own attachment type
(10:54:58 AM) dmlloyd: it would be something like SECURITY_DEPLOYMENT, with a type of Boolean
(10:55:00 AM) asaldhan: dmlloyd: cool.  I think baileyje's code is self-explanatory
(10:55:22 AM) dmlloyd: then in each deployer which identifies a deployment type (i.e. war, ejb, whatever) you can add that attachment too
(10:55:30 AM) dmlloyd: that'll tell your processor to add the dependency
(10:55:41 AM) asaldhan: dmlloyd: got it. an optimization would be if there are no sec stuff in the war, dont add sec deps in any way
(10:55:58 AM) dmlloyd: right, the war deployer can make that call
(10:56:11 AM) dmlloyd: also if there are new types that you did not anticipate, they can add the marker as well
(10:56:21 AM) asaldhan: dmlloyd: right.
(10:57:20 AM) asaldhan: dmlloyd: historically, we have had security deployers happening before the web, ejb deployers
(10:57:51 AM) asaldhan: dmlloyd: so the war deployers will probably remove the attachments if there is no sec needed.
(10:57:57 AM) asaldhan: dmlloyd: based on deployment metadata
(10:58:14 AM) dmlloyd: sure, it can happen in whatever order makes the most sense.
(10:58:38 AM) asaldhan: dmlloyd: got it.  Thanks for the discussion.... I am going to copy/paste the discussion into that forum thread on web sec.
==========================
--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/580887#580887]

Start a new discussion in PicketBox Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2088]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20110114/644d93c0/attachment.html

More information about the jboss-dev-forums mailing list