[jboss-jira] [JBoss JIRA] Created: (JBAS-5096) Security Association with Virtual Hosts

Andrew Oliver (JIRA) jira-events at lists.jboss.org
Thu Dec 20 15:02:43 EST 2007 

Security Association with Virtual Hosts
---------------------------------------

                 Key: JBAS-5096
                 URL: http://jira.jboss.com/jira/browse/JBAS-5096
             Project: JBoss Application Server
          Issue Type: Feature Request
      Security Level: Public (Everyone can see)
          Components: Web (Tomcat) service
    Affects Versions: JBossAS-4.2.2.GA
            Reporter: Andrew Oliver
         Assigned To: Remy Maucherat


At present jboss-web takes one security-domain and potentially many virtual-host configurations such that one webapp is deployed to many virtual hosts with the same security domain. For websites with multiple regions, it often makes sense to use DIFFERENT security domains for each virtual host.

Today we can have only

jboss-web
  security-association
  virtual-host

Ideally we could have

jboss-web
  virtual-host
     security-association
  virtual-host
     security-association

Or:

jboss-web
  security-association
  virtual-host
     security-association
  virtual-host
     security-association

where the virtual host security-associations would override the parent.

In tomcat/src/main/org/jboss/web/tomcat/service/TomcatDeployer.xml the performDeployInternal happens ALREADY for each hostname. At present it uses ONE SecurityAssociationValve for all virtual hosts and the securityassociationvalve is configured with the metaData.getSecurityDomain(). This could instead be a seperate SecurityAssociationValve for each host with the securitydomain as an argument (used to flush the authentication cache). Elsewhere, the ENC/security/security-domain is used. This instead could be the ENC/security/vhost/security-domain or securityMgr (they ultimately are the same thing in server/src/main/org/jboss/web/AbstractWebDeployer).

The trickiest piece isn't the server code, this would require some refactoring but doing the descriptor in an adequate but backward compatible way. <virtual-host>hostname</virtual-host> becomes <virtual-host>xxx</virtual-host><security-domain>domain</security-domain> or something like that. Ideally it would be <virtual-host>xxx<security-domain>xxx</security-domain></virtual-host> for clarity.



-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list