[jboss-jira] [JBoss JIRA] (AS7-6367) Allow more flexibility in the way EJB authentication is handled with regards to remoting and security-realms

Mon Jan 21 10:57:22 EST 2013

     [ https://issues.jboss.org/browse/AS7-6367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Derek Horton updated AS7-6367:
------------------------------

    Description: 
My confusion is around the remoting/security-realm setup in the use case
where multiple EJBs are deployed that use different security-domains and
the EJBs will be invoked by remote standalone clients.  For example,
ejbX needs to be in the sec-domain-X security-domain, while ejbY needs to
be in the sec-domain-Y security-domain.

In this situation, the authentication checks are going to be handled by
the security-realm that is associated with the remote connector that is
configured to be used by the EJB subsystem.

It looks like the security-realm can either handle the authentication
checks directly (properties file, ldap, etc) or it can defer to the
jaas security-domain.  In both of those situations, it seems that the
EJBs are limited to a single authentication point.  The EJB
authentication is either going to be handled by a single security-realm
or the security-realm will defer to a single security-domain.

I could configure the security-domain to have multiple login modules.  I
assume the same thing could be done with the security-realm.

Basically the problem that I am trying to solve boils down to this:  the
authentication checks for remote EJBs appear to be checked by either a
single security-realm or a single security-domain.  Is there a way to
change this?

One idea I had was to add another remote connector to the EJB subsystem.
Unfortunately, this does not appear to be possible.

> Allow more flexibility in the way EJB authentication is handled with regards to remoting and security-realms
> ------------------------------------------------------------------------------------------------------------
>
>                 Key: AS7-6367
>                 URL: https://issues.jboss.org/browse/AS7-6367
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: EJB
>    Affects Versions: 7.1.3.Final (EAP)
>            Reporter: Derek Horton
>            Assignee: jaikiran pai
>
> My confusion is around the remoting/security-realm setup in the use case
> where multiple EJBs are deployed that use different security-domains and
> the EJBs will be invoked by remote standalone clients.  For example,
> ejbX needs to be in the sec-domain-X security-domain, while ejbY needs to
> be in the sec-domain-Y security-domain.
> In this situation, the authentication checks are going to be handled by
> the security-realm that is associated with the remote connector that is
> configured to be used by the EJB subsystem.
> It looks like the security-realm can either handle the authentication
> checks directly (properties file, ldap, etc) or it can defer to the
> jaas security-domain.  In both of those situations, it seems that the
> EJBs are limited to a single authentication point.  The EJB
> authentication is either going to be handled by a single security-realm
> or the security-realm will defer to a single security-domain.
> I could configure the security-domain to have multiple login modules.  I
> assume the same thing could be done with the security-realm.
> Basically the problem that I am trying to solve boils down to this:  the
> authentication checks for remote EJBs appear to be checked by either a
> single security-realm or a single security-domain.  Is there a way to
> change this?
> One idea I had was to add another remote connector to the EJB subsystem.
> Unfortunately, this does not appear to be possible.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira