geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <djen...@gluecode.com>
Subject Including loginDomainName in realm principal might not be useful
Date Mon, 27 Dec 2004 06:49:04 GMT
I've been trying to understand the creation of RealmPrincipals to wrap 
principals added to a Subject by LoginModules and I wonder if including 
the loginDomainName (i.e., a name for a LoginModule) actually is of any 
use or if it serves to provide a false sense of security.  Here's the 
problem I see:

suppose we have a realm with two login domains D1 and D2 that each use 
the same principal classes, but are attached to different backend 
systems.  This seems to me to be the situation that including the 
loginDomainName is intended to help with, by distinguishing whether a 
principal was added by D1 or D2.  So, we imagine that D1 and D2 both 
have a group Foo, but with very different meaning and hence role 
mappings.

If only D1 adds a group principal named Foo, that's fine, we get a 
RealmPrincipal labeled with D1 wrapping a Foo group principal.

Similarly, if only D2 adds a group principal named Foo, that is also 
fine, we get a RealmPrincipal labeled with D2 wrapping a Foo group 
principal.

However, if both D1 and D2 add a group principal named Foo, that is not 
fine, since we will only get a single RealmPrincipal, labeled with D1, 
wrapping a Foo group principal.  We should get two RealmPrincipals, 
each wrapping a (separate, but that is unimportant) Foo group 
principal, one labeled with D1 and the other labeled with D2.

The reason this happens is that all the login modules are adding 
principals to a set in a single Subject, so after D1 adds its Foo group 
principal, D2's effort to add another copy of the same principal has no 
effect.

Unless someone can find a way to work around this problem I think we 
should stop tracking the login domain name in the RealmPrincipal 
because it can lead to surprising and unpredictable results.

The only workaround I can think of is to provide each login module with 
a separate Subject instance and wrap and combine the principals 
ourselves in a separate Subject instance we maintain in the 
JaasLoginContext.  Perhaps the named LoginModules could each get their 
own independent Subject and the non-named LoginModules use the shared 
Subject?  Or a flag could control whether the shared Subject is used?

Comments? Have I misunderstood something here?

many thanks
david jencks


Mime
View raw message