[jboss-user] [Security & JAAS/JBoss] - <auth-constraint> question and authenticator classes, Custom

brengl do-not-reply at jboss.com
Fri Dec 7 10:47:01 EST 2007

I have a couple of questions about 'firing' a Jboss authenticator class. It appears that the authenticator class is called only when there is an <auth-constraint> in the deployed application's web.xml file. Also the <auth-constraint> block seems to require a <role-name> directive. 

Is this true?

My dilemma is this, as I mentioned in another thread I have a custom Authenticator class that obtains credentials from a valid SMSESSION token, and it creates a user principal with a null password and role. The assumption is that you are accessing JBoss via an HTTP proxy that has a Siteminder agent, where you are authenticated and authorized to access the resource, and the SMSESSION token is put in the request object that is passed along to JBoss. 

In this case user Roles do not really apply. Siteminder does not utilize them, it does authorization based on its own policies that are created for resources. Unless the role mapping is done from an external user registry or property file, there is no way, or need, for this custom authenticator to populate the user principal with a role. Even if role mapping is performed outside of Siteminder, it is basically redundant and un-needed.

I currently have this working by specifying '*' as the <role-name> in the <auth-constraint> section of web.xml. Then I am allowed into the application regardless of the role value in the user principal or the login module. I'm looking for a better way to do this.
Is there a way to cause the authenticator to be 'fired' without needing to specify a <role-name> directive at all? 

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4111268#4111268

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4111268

More information about the jboss-user mailing list