geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Quintin Beukes <quin...@skywalk.co.za>
Subject Re: The setting of LoginDomainName attribute of the LoginModuleGBean
Date Mon, 14 Sep 2009 20:56:31 GMT
For interest sake, how would you use this to implement the below?

If you have a doc specifying this, can you send me the link. This
explanation made it sound interesting, as I myself have wondered about
the WrappingLoginModule.

Q

On Mon, Sep 14, 2009 at 6:42 PM, David Jencks <david_jencks@yahoo.com> wrote:
>
> On Sep 14, 2009, at 12:51 AM, Ivan wrote:
>
>> Hi
>>  In the LoginModuleGBean, there is an attribute named loginDomainName, I
>> went through the codes, just found that while the WrappingLoginModule is
>> turned on, those domainNames are used in the Subject as DomainPrincipal.
>> Except for this, is there any use for those loginDomainNames ? And, I did
>> not found any example for WrappingLoginModule, so when we would use it ?
>>  Thanks !
>
> I thought this was documented somewhere, but I could easily be wrong, and
> the explanation might not include enough info for anyone to know why...
>
> Most people use the simplest form of principal-role mapping, where you
> specify the class and name of the actual Principal from the login module you
> specify.  However, it's possible to think up more complicated scenarios
> where this is not enough to identify the principal for the principal-role
> mapping.
>
> lets suppose you have an ejb app C with 2 web apps A and B in front of it.
>  Your ejb app has 2 roles r1 and r2.  You have two legacy security systems
> S1 and S2 with proprietary login modules that both happen to supply the same
> principal class.  You need to use S1 with A and S2 with B.  S1 and S2 both
> provide principals with names "g1" and "g2" but the meaning is opposite.....
> you need
>
> For S1 and A,
> "g1" > r1
> "g2" > r2
>
> but for S2 and B,
> "g1" > r2
> "g2" > r1
>
> So, you need more information to distinguish the principals so you can map
> them to the correct roles.  Geronimo lets you wrap the original principals
> with a wrapper that contains a name of the login module "loginDomainName"
> and the name of the security realm, and the principal-role mapping can
> specify these as well.  You'd use the loginDomainName if you set up a single
> security realm that includes the login modules for S1 and S2, and the
> security realm if you set up two separate security realms.
>
> I don't know if anyone has used this or ever will, but we thought we'd be
> thorough.
>
> thanks
> david jencks
>
>> --
>> Ivan
>
>



-- 
Quintin Beukes

Mime
View raw message