geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Mulder <>
Subject Jetty Security Realms
Date Mon, 01 Nov 2004 03:22:56 GMT
	Near as I can tell, if you deploy a web app with a web.xml
including a realm-name of "foo", then Jetty is going to try to use a
UserRealm named "foo" to authenticate users to that application.  (I guess
if you omit the realm-name tag, which is legal for form-based auth, it
falls back on the Jetty logic to select the only security realm if there's
1 security realm configured and fail otherwise.)  Unfortunately, the
UserRealms available to Jetty are in one big list in the Jetty server.
	I think this means that if two totally different applications both 
use a realm-name of "Application Realm", they will be forced to use the 
same actual security realm.  I don't like this much, because the web.xml 
is provided by the developer, and the deployer has at best an awkward way 
to override that to resolve naming collisions between third-party web apps 
(copy the web.xml and use an alt-dd in the EAR).
	Further unfortunately, Jetty actually uses the name of the
UserRealm when constructing its authentication challenge, such as for HTTP
Basic Auth.  So if we do something to let the deployer override the
indentifier of the back-end security realm implementation as known to the
Jetty web app, it'll change the challenge strings.
	Still further unfortunately, in order to hook Jetty up to a 
Geronimo SecurityRealm, you need to manually deploy a GBean.  I don't like 
that much because it means that even if you're got your security realms 
already up and running in your server, you can't just deploy a new web app 
and have it work, you have to deploy one or more GBeans in addition.  On 
the up side, you can deploy GBeans as part of your geronimo-jetty.xml 
deployment plan, but still, this is way Too Much Information for the 
deployer to need.

	So anyway, I propose an enhancement to the Jetty DD and interface.  
I suggest we add a tag for security-realm to geronimo-jetty.xml.  Then we
add an analogous property to JettyWebAppContext.  In the doStart of the
JettyWebAppContext, if you specified a security realm in
geronimo-jetty.xml, we'd look up the correct realm in Geronimo and call
setRealm with a new JAASJettyRealm that wraps the Geronimo realm.  That
would solve all of these problems at once:

 - the realm-name in web.xml is no longer necessarily connected to the
   underlying security realm that will service requests.  Two apps with
   the same realm-name can be serviced by different actual realms.

 - the deployer (person) can wire an application up to any security realm
   available in the server.

 - there's no GBean configuration required -- you give the name of the
   realm you want, and the plumbing sets it up for you.


P.S. Whether we do that or not, the geronimo-jetty.xml security settings
seem overcomplicated since they allow you to add principals from more than
one realm to your roles, but any given web app can only produce principals
from one realm.

View raw message