geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Malgeri <>
Subject Re: Security Config File questions
Date Fri, 10 Jun 2005 18:26:58 GMT
OK, so App1, in the standard jaas.config block,  would correspond to a 
LoginModuleGbean as you stated. Thanks for clearing that up. 

In a business application, would it be correct to say that "App1" 
might/should be named something like "Human_Resources_App" as opposed to 
"demo-properties-login"? I realize it has to be named "something" in the 
plan shipped with the distribution so "demo-properties-login" is OK. I'm 
just trying to clarify the concepts in my mind.

If I'm correct then the "Human_Resource_App", as a basic composite 
application, may require multiple authentications to say a properties file 
for one part of it's functionality, a sql database for another part and an 
ldap server for yet another part. Each of these logins would be handled by 
a separate login module, correct? 

So the one thing that is still unclear is the fact that each login module, 
which are JaasLoginModuleUse bean linked together, can have their own 
separate set of options. The standard jaas.confi file has a 1 to many 
relationship between "App1" and login modules but I think you're 
suggesting below there's a one to one relationship, unless I'm reading it 


Michael Malgeri
Mgr Gluecode Client Technical Services
PHONE: 310-536-8355 x 14
FAX: 310-536-9062
CELLULAR: 310-704-6403

David Jencks <> 
06/10/2005 10:45 AM
Please respond to


Re: Security Config File questions

On Jun 10, 2005, at 10:26 AM, Michael Malgeri wrote:

> Got a couple of security related questions:
> 1.  In the following snippet from thej2ee-secure-plan.xml file one of 
> possibly many login modules (which are connected by a reference tag) 
> are associated with the realm and the other block that appear above 
> the realm
> <gbean name="demo-properties-login" 
> class="">
>         <attribute name="controlFlag">REQUIRED</attribute>
>         <reference name="LoginModule">
>             <name>demo-properties-login</name>
>         </reference>
>     </gbean>
> Each login module has a Flag, which I see in this case is "REQUIRED"
> But shouldn't each login module have the ability to take "options", 
> which I don't see
> Is there an "options"attribute? I know there is an "options" attribute 
> in the "LoginModuleGBean" that this block is associate with, but what 
> do you do in the case when there are multiple login modules, i.e. 
> multiple JaasLoginModuleUse gbeans and they each can have options?
> 2.  In a standard JAAS config file, there are "Application blocks" 
> that contain groups of login modules. it looks something like
> App1{
> Class Flag Options;
>  Class Flag Options: etc}.
> where each  "Class" , "Flag" and "Options" is for each login module
> "What" tag/artifact/THING in the j2ee-secure-plan.xml file corresponds 
> to "App1" in the preceeding block ?

lets see if I can answer both questions at once, or if I just confuse 
things further.

Each line Class Flag Options from (2) corresponds to a LoginModuleGbean 
in geronimo, except we take out the flag.

Each App1 corresponds to a GenericSecurityRealm gbean.

We let you reuse a configured login module for several security realms. 
  Each GenericSecurityRealm gets a reference to a linked list of 
LoginModuleUse gbeans, which supplies the order of login modules and 
the Flag for each login module as used in the GenericSecurityRealm.  It 
may not be obvious from the j2ee-secure-plan but LoginModuleUse has a 
reference to a next LoginModuleUse.

The examples in openejb have an alternate xml syntax that is much 
clearer but I'm not sure it is completely approved by everyone.

david jencks

> Michael Malgeri
>  Mgr Gluecode Client Technical Services
>  PHONE: 310-536-8355 x 14
>  FAX: 310-536-9062
>  CELLULAR: 310-704-6403

View raw message