geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan D. Cabrera" <>
Subject RE: Jetty Security Realms
Date Mon, 01 Nov 2004 03:40:57 GMT

> -----Original Message-----
> From: Aaron Mulder []
> Sent: Sunday, October 31, 2004 10:23 PM
> To:
> Subject: Jetty Security Realms
> 	Near as I can tell, if you deploy a web app with a web.xml
> including a realm-name of "foo", then Jetty is going to try to use a
> UserRealm named "foo" to authenticate users to that application.  (I
> if you omit the realm-name tag, which is legal for form-based auth, it
> falls back on the Jetty logic to select the only security realm if
> 1 security realm configured and fail otherwise.)  Unfortunately, the
> UserRealms available to Jetty are in one big list in the Jetty server.
> 	I think this means that if two totally different applications
> use a realm-name of "Application Realm", they will be forced to use
> same actual security realm.  I don't like this much, because the
> is provided by the developer, and the deployer has at best an awkward
> to override that to resolve naming collisions between third-party web
> (copy the web.xml and use an alt-dd in the EAR).
> 	Further unfortunately, Jetty actually uses the name of the
> UserRealm when constructing its authentication challenge, such as for
> Basic Auth.  So if we do something to let the deployer override the
> indentifier of the back-end security realm implementation as known to
> Jetty web app, it'll change the challenge strings.
> 	Still further unfortunately, in order to hook Jetty up to a
> Geronimo SecurityRealm, you need to manually deploy a GBean.  I don't
> that much because it means that even if you're got your security
> already up and running in your server, you can't just deploy a new web
> and have it work, you have to deploy one or more GBeans in addition.
> the up side, you can deploy GBeans as part of your geronimo-jetty.xml
> deployment plan, but still, this is way Too Much Information for the
> deployer to need.
> 	So anyway, I propose an enhancement to the Jetty DD and
> I suggest we add a tag for security-realm to geronimo-jetty.xml.  Then
> add an analogous property to JettyWebAppContext.  In the doStart of
> JettyWebAppContext, if you specified a security realm in
> geronimo-jetty.xml, we'd look up the correct realm in Geronimo and
> setRealm with a new JAASJettyRealm that wraps the Geronimo realm.
> would solve all of these problems at once:
>  - the realm-name in web.xml is no longer necessarily connected to the
>    underlying security realm that will service requests.  Two apps
>    the same realm-name can be serviced by different actual realms.
>  - the deployer (person) can wire an application up to any security
>    available in the server.
>  - there's no GBean configuration required -- you give the name of the
>    realm you want, and the plumbing sets it up for you.

Sounds good to me.  File a JIRA issue and send it to me.  :)

> Aaron
> P.S. Whether we do that or not, the geronimo-jetty.xml security
> seem overcomplicated since they allow you to add principals from more
> one realm to your roles, but any given web app can only produce
> from one realm.

The security schema is shared amongst containers.  While it does allow
you to declare extraneous principal mappings, it doesn't force you to.
I have no problem making the schema for web apps simpler.

It's nice to have a fresh pair of eyes looking at this.  Thanks.


View raw message