geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Cabrera <Alan.Cabr...@reuters.com>
Subject RE: Security providers
Date Thu, 19 Aug 2004 21:37:26 GMT
> -----Original Message-----
> From: Dain Sundstrom [mailto:dain@coredevelopers.net]
> Sent: Monday, August 16, 2004 8:39 PM
> To: dev@geronimo.apache.org
> Subject: Re: Security providers
>
> On Aug 16, 2004, at 5:55 PM, David Blevins wrote:
>
>> Is the securtiy stuff hooked up by default?  If not, what does it
 take
>> to get a Provider plugged in?  Or how do you change from one to the
>> other?
>
> ...and what the heck is a provider?  What does it provide?  Is this
> just authentication ala JAAS?  Is think authorization ala JACC? Is it
a
> combination?  Is it a java platform SecurityManager?  What is it?
>
> -dain

Security realm providers are part of an authentication collaboration
with the GeronimoLoginConfiguration class to provide JAAS LoginContexts
their LoginModules for login.  This authentication collaboration creates
security contexts on the server side that the LoginService manages; the
security contexts are indexed by an IdentificationPrincipal that is
injected into the returned Subject at login time. 

What does all this buy us?  Why don't we use vanilla JAAS?  The reason
is that we don't trust the client to invoke the LoginModules.  We also
want to keep the security contexts on the server side, for obvious
reasons. 

The IdentificationPrincipal can be used to pick up the login Subject
from the ContextManager for JACC permission checks. What I do is to
associate the login subject with the thread via a Subject.doAs() before
making any EJB calls.  JNDI wrappers pick up the IdentificationPrincipal
and injects it into the EJB call.  The server extracts this
IdentificationPrincipal and uses it to set the proper caller for the
authorization checks.  The IdentificationPrincipal is cryptographically
difficult to spoof so the client cannot surreptitiously switch the
identification of the caller.

The Security realm provider is not a java platform SecurityManager.


Regards,
Alan




-----------------------------------------------------------------
        Visit our Internet site at http://www.reuters.com

Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.


Mime
View raw message