geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Malgeri <mmalg...@us.ibm.com>
Subject Re: Security Config File questions
Date Sat, 11 Jun 2005 00:44:22 GMT
OK, now I think I got it.

One final two-part question...hopefully.

There is a one-to-one association between a LoginModuleGBean  gbean and a 
JaasLoginModuleUse gbean, correct?

Which property  reference ties the two together?

Is the following

<gbean name="demo-properties-login" 
class="org.apache.geronimo.security.jaas.LoginModuleGBean">

tied to the "name" property of this

<gbean name="demo-properties-login" 
class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">

or to the following reference of the same JaasLoginModuleUse gbean

<reference name="LoginModule">
            <name>demo-properties-login</name>
</reference>

or something else?

Much appreciated


Michael Malgeri
Mgr Gluecode Client Technical Services
PHONE: 310-536-8355 x 14
FAX: 310-536-9062
CELLULAR: 310-704-6403



David Jencks <david_jencks@yahoo.com> 
06/10/2005 04:35 PM
Please respond to
dev


To
dev@geronimo.apache.org
cc

Subject
Re: Security Config File questions







On Jun 10, 2005, at 11:26 AM, Michael Malgeri wrote:

>
> OK, so App1, in the standard jaas.config block,  would correspond to a 
> LoginModuleGbean as you stated. Thanks for clearing that up.
No!!
App1 corresponds to a GenericSecurityRealm which has a list of login 
modules (via the LoginModuleUse gbeans)
>
> In a business application, would it be correct to say that "App1" 
> might/should be named something like "Human_Resources_App" as opposed 
> to "demo-properties-login"? I realize it has to be named "something" 
> in the plan shipped with the distribution so "demo-properties-login" 
> is OK. I'm just trying to clarify the concepts in my mind.

yes/
>
> If I'm correct then the "Human_Resource_App", as a basic composite 
> application, may require multiple authentications to say a properties 
> file for one part of it's functionality, a sql database for another 
> part and an ldap server for yet another part. Each of these logins 
> would be handled by a separate login module, correct?

yes.
>
> So the one thing that is still unclear is the fact that each login 
> module, which are JaasLoginModuleUse bean linked together, can have 
> their own separate set of options. The standard jaas.confi file has a 
> 1 to many relationship between "App1" and login modules but I think 
> you're suggesting below there's a one to one relationship, unless I'm 
> reading it wrong.

LoginModuleGBeans have the login module class and the options

GenericSecurityRealm has an (ordered) list of (login module gbean + 
option).  Right now these take the slightly awkward form of a linked 
list of LoginModuleUse gbeans.

Hope this is a little clearer.

thanks
david jencks

>
> m
>
> Michael Malgeri
>  Mgr Gluecode Client Technical Services
>  PHONE: 310-536-8355 x 14
>  FAX: 310-536-9062
>  CELLULAR: 310-704-6403
>
>
> David Jencks <david_jencks@yahoo.com>
>
> 06/10/2005 10:45 AM
> Please respond to
>  dev
>
> To
> dev@geronimo.apache.org
> cc
> Subject
> Re: Security Config File questions
>
>
>
>
>
>
>  On Jun 10, 2005, at 10:26 AM, Michael Malgeri wrote:
>
>  >
>  > Got a couple of security related questions:
>  >
>  > 1.  In the following snippet from thej2ee-secure-plan.xml file one 
> of
>  > possibly many login modules (which are connected by a reference tag)
>  > are associated with the realm and the other block that appear above
>  > the realm
>  >
>  > <gbean name="demo-properties-login"
>  > class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
>  >         <attribute name="controlFlag">REQUIRED</attribute>
>  >         <reference name="LoginModule">
>  >             <name>demo-properties-login</name>
>  >         </reference>
>  >     </gbean>
>  >
>  > Each login module has a Flag, which I see in this case is "REQUIRED"
>  > But shouldn't each login module have the ability to take "options",
>  > which I don't see
>  > Is there an "options"attribute? I know there is an "options" 
> attribute
>  > in the "LoginModuleGBean" that this block is associate with, but 
> what
>  > do you do in the case when there are multiple login modules, i.e.
>  > multiple JaasLoginModuleUse gbeans and they each can have options?
>  >
>  > 2.  In a standard JAAS config file, there are "Application blocks"
>  > that contain groups of login modules. it looks something like
>  >
>  > App1{
>  > Class Flag Options;
>  >  Class Flag Options: etc}.
>  >
>  > where each  "Class" , "Flag" and "Options" is for each login module
>  >
>  > "What" tag/artifact/THING in the j2ee-secure-plan.xml file 
> corresponds
>  > to "App1" in the preceeding block ?
>
>  lets see if I can answer both questions at once, or if I just confuse
>  things further.
>
>  Each line Class Flag Options from (2) corresponds to a 
> LoginModuleGbean
>  in geronimo, except we take out the flag.
>
>  Each App1 corresponds to a GenericSecurityRealm gbean.
>
>  We let you reuse a configured login module for several security 
> realms.
>   Each GenericSecurityRealm gets a reference to a linked list of
>  LoginModuleUse gbeans, which supplies the order of login modules and
>  the Flag for each login module as used in the GenericSecurityRealm. 
>  It
>  may not be obvious from the j2ee-secure-plan but LoginModuleUse has a
>  reference to a next LoginModuleUse.
>
>  The examples in openejb have an alternate xml syntax that is much
>  clearer but I'm not sure it is completely approved by everyone.
>
>  thanks
>  david jencks
>
>
>  >
>  > Michael Malgeri
>  >  Mgr Gluecode Client Technical Services
>  >  PHONE: 310-536-8355 x 14
>  >  FAX: 310-536-9062
>  >  CELLULAR: 310-704-6403
>
>



Mime
View raw message