geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re:*ModuleConfiguration broke Geronimo-Nova integration
Date Mon, 05 Jan 2004 07:38:21 GMT

On Sunday, January 4, 2004, at 11:10 AM, Alan D. Cabrera wrote:

>> -----Original Message-----
>> From: David Jencks []
>> I think so.
>> However, I'm pretty confused at the moment by all the different
>> concepts around security.  If you could spend a few minutes and
> explain
>> how
>> contextID
>> realm
>> role
>> principal
>> permission
>> relate I'd really appreciate it.  In particular I really don't
>> understand how realms and contextIDs relate and may have put the wrong
>> call in the EJBModuleDeploymentPlanner.
> This can be split up into two parts, Authentication and Authorization.
> On the authentication side, Security realms provide LoginModules that
> populate Subjects w/ their principals.  Geronimo wraps theses
> LoginModules with its own so that it can register the Subjects and
> perform various optimization; I was thinking that it would be a good
> idea to allow non-Geronimo LoginModules.
> Authorization is handled by PolicyConfigurations; these are indexed by
> context ids which uniquely identify a deployed application.  Roles and
> their permissions are registered w/ the PolicyConfiguration.  I have
> further extended this so that principals can be mapped to roles and
> then, as an optimization, principals are mapped to permissions.

OK, this makes sense.  However, there are a lot of levels of 
indirection (lets assume there is only one realm):

user  --nXm-- principal --nxm--role --nxm-- method

If there is only one realm and it is easy to specify the principals 
each  user gets in the login system, it might be worthwhile to provide 
a shortcut security mapping that equated roles and principals.  Does 
this make any sense?

david jencks

View raw message