Return-Path: 
 <dev-return-15266-apmail-geronimo-dev-archive=geronimo.apache.org@geronimo.apache.org>
Delivered-To: apmail-geronimo-dev-archive@www.apache.org
Received: (qmail 97196 invoked from network); 3 Aug 2005 00:51:29 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 3 Aug 2005 00:51:29 -0000
Received: (qmail 2478 invoked by uid 500); 3 Aug 2005 00:51:25 -0000
Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org
Received: (qmail 2443 invoked by uid 500); 3 Aug 2005 00:51:25 -0000
Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:dev-help@geronimo.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@geronimo.apache.org>
List-Post: <mailto:dev@geronimo.apache.org>
Reply-To: dev@geronimo.apache.org
List-Id: <dev.geronimo.apache.org>
Delivered-To: mailing list dev@geronimo.apache.org
Received: (qmail 2422 invoked by uid 99); 3 Aug 2005 00:51:24 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Aug 2005 17:51:24 -0700
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received-SPF: neutral (asf.osuosl.org: local policy)
Received: from [66.250.40.202] (HELO saturn.opentools.org) (66.250.40.202)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Aug 2005 17:51:16 -0700
Received: by saturn.opentools.org (Postfix, from userid 500)
	id BACC63F89; Tue,  2 Aug 2005 21:01:10 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
	by saturn.opentools.org (Postfix) with ESMTP id B4264F383
	for <dev@geronimo.apache.org>; Tue,  2 Aug 2005 21:01:10 -0400 (EDT)
Date: Tue, 2 Aug 2005 21:01:10 -0400 (EDT)
From: Aaron Mulder <ammulder@alumni.princeton.edu>
X-X-Sender: ammulder@saturn.opentools.org
To: dev@geronimo.apache.org
Subject: Security Role Mapping & Authentication
Message-ID: <Pine.LNX.4.58.0508022050210.18515@saturn.opentools.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

	So in web apps, the developer provides a list of roles in web.xml,
and then we let you map any principals from any Geronimo security realms
to the J2EE roles using the <security> element in geronimo-web.xml (it's 
quite possible to allow principals from multiple realms).

	However, on top of that, there's a <security-realm-name> element 
in geronimo-web.xml, which appears to be used by Jetty and not Tomcat.  
This appears to be used to set the JettyJAASRealm on the 
JettyWebAppContext (see JettyWebAppContext.java:257).

	I'm assuming that when you log in to Jetty, it authenticates you 
against the security realm named in the <security-realm-name> element, and 
then authorizes you against the mappings performed in the <security> 
element.  So logically, it wouldn't help you to include principals from 
any other realm in the <security> element, but we don't enforce that in 
the schemas.

	If that's true, then what realm does Tomcat authenticate against?  
And what realm do EJBs authenticate against?  Both Tomcat and EJBs appear
to only use the <security> element (Tomcat ignores the
<security-realm-name> element AFAICT and openejb-jar.xml doesn't have
one).

Thanks,
	Aaron