geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan D. Cabrera" <...@toolazydogs.com>
Subject RE: Jetty Security Realms
Date Mon, 01 Nov 2004 03:40:57 GMT


> -----Original Message-----
> From: Aaron Mulder [mailto:ammulder@alumni.princeton.edu]
> Sent: Sunday, October 31, 2004 10:23 PM
> To: dev@geronimo.apache.org
> Subject: Jetty Security Realms
> 
> 	Near as I can tell, if you deploy a web app with a web.xml
> including a realm-name of "foo", then Jetty is going to try to use a
> UserRealm named "foo" to authenticate users to that application.  (I
guess
> if you omit the realm-name tag, which is legal for form-based auth, it
> falls back on the Jetty logic to select the only security realm if
there's
> 1 security realm configured and fail otherwise.)  Unfortunately, the
> UserRealms available to Jetty are in one big list in the Jetty server.
> 	I think this means that if two totally different applications
both
> use a realm-name of "Application Realm", they will be forced to use
the
> same actual security realm.  I don't like this much, because the
web.xml
> is provided by the developer, and the deployer has at best an awkward
way
> to override that to resolve naming collisions between third-party web
apps
> (copy the web.xml and use an alt-dd in the EAR).
> 	Further unfortunately, Jetty actually uses the name of the
> UserRealm when constructing its authentication challenge, such as for
HTTP
> Basic Auth.  So if we do something to let the deployer override the
> indentifier of the back-end security realm implementation as known to
the
> Jetty web app, it'll change the challenge strings.
> 	Still further unfortunately, in order to hook Jetty up to a
> Geronimo SecurityRealm, you need to manually deploy a GBean.  I don't
like
> that much because it means that even if you're got your security
realms
> already up and running in your server, you can't just deploy a new web
app
> and have it work, you have to deploy one or more GBeans in addition.
On
> the up side, you can deploy GBeans as part of your geronimo-jetty.xml
> deployment plan, but still, this is way Too Much Information for the
> deployer to need.
> 
> 	So anyway, I propose an enhancement to the Jetty DD and
interface.
> I suggest we add a tag for security-realm to geronimo-jetty.xml.  Then
we
> add an analogous property to JettyWebAppContext.  In the doStart of
the
> JettyWebAppContext, if you specified a security realm in
> geronimo-jetty.xml, we'd look up the correct realm in Geronimo and
call
> setRealm with a new JAASJettyRealm that wraps the Geronimo realm.
That
> would solve all of these problems at once:
> 
>  - the realm-name in web.xml is no longer necessarily connected to the
>    underlying security realm that will service requests.  Two apps
with
>    the same realm-name can be serviced by different actual realms.
> 
>  - the deployer (person) can wire an application up to any security
realm
>    available in the server.
> 
>  - there's no GBean configuration required -- you give the name of the
>    realm you want, and the plumbing sets it up for you.

Sounds good to me.  File a JIRA issue and send it to me.  :)

> Aaron
> 
> P.S. Whether we do that or not, the geronimo-jetty.xml security
settings
> seem overcomplicated since they allow you to add principals from more
than
> one realm to your roles, but any given web app can only produce
principals
> from one realm.

The security schema is shared amongst containers.  While it does allow
you to declare extraneous principal mappings, it doesn't force you to.
I have no problem making the schema for web apps simpler.

It's nice to have a fresh pair of eyes looking at this.  Thanks.


Regards,
Alan 



Mime
View raw message