geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: The setting of LoginDomainName attribute of the LoginModuleGBean
Date Mon, 14 Sep 2009 16:42:47 GMT

On Sep 14, 2009, at 12:51 AM, Ivan wrote:

> Hi
>   In the LoginModuleGBean, there is an attribute named  
> loginDomainName, I went through the codes, just found that while the  
> WrappingLoginModule is turned on, those domainNames are used in the  
> Subject as DomainPrincipal. Except for this, is there any use for  
> those loginDomainNames ? And, I did not found any example for  
> WrappingLoginModule, so when we would use it ?
>  Thanks !

I thought this was documented somewhere, but I could easily be wrong,  
and the explanation might not include enough info for anyone to know  

Most people use the simplest form of principal-role mapping, where you  
specify the class and name of the actual Principal from the login  
module you specify.  However, it's possible to think up more  
complicated scenarios where this is not enough to identify the  
principal for the principal-role mapping.

lets suppose you have an ejb app C with 2 web apps A and B in front of  
it.  Your ejb app has 2 roles r1 and r2.  You have two legacy security  
systems S1 and S2 with proprietary login modules that both happen to  
supply the same principal class.  You need to use S1 with A and S2  
with B.  S1 and S2 both provide principals with names "g1" and "g2"  
but the meaning is opposite..... you need

For S1 and A,
"g1" > r1
"g2" > r2

but for S2 and B,
"g1" > r2
"g2" > r1

So, you need more information to distinguish the principals so you can  
map them to the correct roles.  Geronimo lets you wrap the original  
principals with a wrapper that contains a name of the login module  
"loginDomainName" and the name of the security realm, and the  
principal-role mapping can specify these as well.  You'd use the  
loginDomainName if you set up a single security realm that includes  
the login modules for S1 and S2, and the security realm if you set up  
two separate security realms.

I don't know if anyone has used this or ever will, but we thought we'd  
be thorough.

david jencks

> -- 
> Ivan

View raw message