geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Mulder <ammul...@alumni.princeton.edu>
Subject Security Role Mapping & Authentication
Date Wed, 03 Aug 2005 01:01:10 GMT
	So in web apps, the developer provides a list of roles in web.xml,
and then we let you map any principals from any Geronimo security realms
to the J2EE roles using the <security> element in geronimo-web.xml (it's 
quite possible to allow principals from multiple realms).

	However, on top of that, there's a <security-realm-name> element 
in geronimo-web.xml, which appears to be used by Jetty and not Tomcat.  
This appears to be used to set the JettyJAASRealm on the 
JettyWebAppContext (see JettyWebAppContext.java:257).

	I'm assuming that when you log in to Jetty, it authenticates you 
against the security realm named in the <security-realm-name> element, and 
then authorizes you against the mappings performed in the <security> 
element.  So logically, it wouldn't help you to include principals from 
any other realm in the <security> element, but we don't enforce that in 
the schemas.

	If that's true, then what realm does Tomcat authenticate against?  
And what realm do EJBs authenticate against?  Both Tomcat and EJBs appear
to only use the <security> element (Tomcat ignores the
<security-realm-name> element AFAICT and openejb-jar.xml doesn't have
one).

Thanks,
	Aaron

Mime
View raw message