geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Mulder <>
Subject Security Realm Name vs. JAAS applicationConfigName
Date Tue, 02 Nov 2004 02:58:58 GMT
	So there are currently two parts to deploying a security realm 
(example at end of e-mail):

1) a GBean containing the realm itself

2) a GBean declaring a JAAS ConfigurationEntry for that realm

	It seems kind of unfortunate, but these two GBeans can use two 
different name attributes (they would have distinct ObjectNames even if 
their name attributes were identical).  As far as I understand, the 
process goes like this:

 - when a user wants to log in, they identify a realm by providing its 
   ConfigurationEntry name (either in app client code, or in Jetty
   configuration [currently using another GBean])

 - during the login, the user's principals are duplicated into realm
   principals containing the name of the security realm (not the
   ConfigurationEntry name)

 - when mapping roles to principals, the deployer identifies each
   realm by its realm name (not ConfigurationEntry name)

 - if using a realm bridge, it identifies the target realm by its
   ConfigurationEntry name

My first inclination is to make the name attributes used by these two
GBeans match.  For example, if we remove the applicationConfigName
property from the ConfigurationEntry GBean, we could just make it use the
realm name as its applicationConfigName and then there wouldn't be any
confusion over which to use where.

My second inclination is just to combine the two GBeans into one.  Every
security realm needs a ConfigurationEntry or no client/bridge can actually
access it.  It also seems weird to pass security realm attributes in one 
place (the realm GBean) and login module attributes in a different place 
(the ConfigurationEntry GBean).  If these two GBeans were one (perhaps 
pssing the realm class as a property to the ConfigurationEntry, I don't 
know), there would be no name confusion and only one GBean per realm.  It 
would make the attrbutes a bit messy, but they're already bad enough that 
that doesn't bother me.  My main question is, is there ever a solid reason 
to deploy multiple ConfigurationEntries for one realm?


(from j2ee-secure-plan.xml:)

   <!-- JAAS Application Config Entry -->
        <attribute name="applicationConfigName" 
        <attribute name="realmName" 
        <attribute name="controlFlag" 
        <attribute name="options" 

    <!-- Demo Properties File Realm -->
        <attribute name="realmName" 
        <attribute name="maxLoginModuleAge" type="long">10000</attribute>
        <attribute name="usersURI" 
        <attribute name="groupsURI" 

View raw message