[jboss-jira] [JBoss JIRA] Updated: (JBAS-5096) Separate Security Domains with Virtual Hosts

Dimitris Andreadis (JIRA) jira-events at lists.jboss.org
Mon Sep 15 05:45:20 EDT 2008 

     [ https://jira.jboss.org/jira/browse/JBAS-5096?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dimitris Andreadis updated JBAS-5096:
-------------------------------------

    Fix Version/s:     (was: JBossAS-5.0.0.CR2)


Ok, so is there interest to implement this / who / when?

> Separate Security Domains with Virtual Hosts
> --------------------------------------------
>
>                 Key: JBAS-5096
>                 URL: https://jira.jboss.org/jira/browse/JBAS-5096
>             Project: JBoss Application Server
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: Web (Tomcat) service
>    Affects Versions: JBossAS-4.2.2.GA
>            Reporter: Andrew Oliver
>            Assignee: Anil Saldhana
>
> At present jboss-web takes one security-domain and potentially many virtual-host configurations such that one webapp is deployed to many virtual hosts with the same security domain. For websites with multiple regions, it often makes sense to use DIFFERENT security domains for each virtual host.
> Today we can have only
> jboss-web
>   security-association
>   virtual-host
> Ideally we could have
> jboss-web
>   virtual-host
>      security-association
>   virtual-host
>      security-association
> Or:
> jboss-web
>   security-association
>   virtual-host
>      security-association
>   virtual-host
>      security-association
> where the virtual host security-associations would override the parent.
> In tomcat/src/main/org/jboss/web/tomcat/service/TomcatDeployer.xml the performDeployInternal happens ALREADY for each hostname. At present it uses ONE SecurityAssociationValve for all virtual hosts and the securityassociationvalve is configured with the metaData.getSecurityDomain(). This could instead be a seperate SecurityAssociationValve for each host with the securitydomain as an argument (used to flush the authentication cache). Elsewhere, the ENC/security/security-domain is used. This instead could be the ENC/security/vhost/security-domain or securityMgr (they ultimately are the same thing in server/src/main/org/jboss/web/AbstractWebDeployer).
> The trickiest piece isn't the server code, this would require some refactoring but doing the descriptor in an adequate but backward compatible way. <virtual-host>hostname</virtual-host> becomes <virtual-host>xxx</virtual-host><security-domain>domain</security-domain> or something like that. Ideally it would be <virtual-host>xxx<security-domain>xxx</security-domain></virtual-host> for clarity.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list