Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@geronimo.apache.org
Received-SPF: neutral (athena.apache.org: local policy)
MIME-Version: 1.0
In-Reply-To: <C397ACDA-8F20-4915-A399-CED525D3FD77@yahoo.com>
References: <45f744e40909140051x22cd9c57j8c3d6d9a79d3b5a5@mail.gmail.com>
	 <C397ACDA-8F20-4915-A399-CED525D3FD77@yahoo.com>
Date: Mon, 14 Sep 2009 22:56:31 +0200
Message-ID: <1f3854d50909141356y262ecdd2mf1bdc0d29656df67@mail.gmail.com>
Subject: Re: The setting of LoginDomainName attribute of the LoginModuleGBean
From: Quintin Beukes <quintin@skywalk.co.za>
To: dev@geronimo.apache.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

For interest sake, how would you use this to implement the below?

If you have a doc specifying this, can you send me the link. This
explanation made it sound interesting, as I myself have wondered about
the WrappingLoginModule.

Q

On Mon, Sep 14, 2009 at 6:42 PM, David Jencks <david_jencks@yahoo.com> wrot=
e:
>
> On Sep 14, 2009, at 12:51 AM, Ivan wrote:
>
>> Hi
>> =A0In the LoginModuleGBean, there is an attribute named loginDomainName,=
 I
>> went through the codes, just found that while the WrappingLoginModule is
>> turned on, those domainNames are used in the Subject as DomainPrincipal.
>> Except for this, is there any use for those loginDomainNames ? And, I di=
d
>> not found any example for WrappingLoginModule, so when we would use it ?
>> =A0Thanks !
>
> I thought this was documented somewhere, but I could easily be wrong, and
> the explanation might not include enough info for anyone to know why...
>
> Most people use the simplest form of principal-role mapping, where you
> specify the class and name of the actual Principal from the login module =
you
> specify. =A0However, it's possible to think up more complicated scenarios
> where this is not enough to identify the principal for the principal-role
> mapping.
>
> lets suppose you have an ejb app C with 2 web apps A and B in front of it=
.
> =A0Your ejb app has 2 roles r1 and r2. =A0You have two legacy security sy=
stems
> S1 and S2 with proprietary login modules that both happen to supply the s=
ame
> principal class. =A0You need to use S1 with A and S2 with B. =A0S1 and S2=
 both
> provide principals with names "g1" and "g2" but the meaning is opposite..=
...
> you need
>
> For S1 and A,
> "g1" > r1
> "g2" > r2
>
> but for S2 and B,
> "g1" > r2
> "g2" > r1
>
> So, you need more information to distinguish the principals so you can ma=
p
> them to the correct roles. =A0Geronimo lets you wrap the original princip=
als
> with a wrapper that contains a name of the login module "loginDomainName"
> and the name of the security realm, and the principal-role mapping can
> specify these as well. =A0You'd use the loginDomainName if you set up a s=
ingle
> security realm that includes the login modules for S1 and S2, and the
> security realm if you set up two separate security realms.
>
> I don't know if anyone has used this or ever will, but we thought we'd be
> thorough.
>
> thanks
> david jencks
>
>> --
>> Ivan
>
>


--=20
Quintin Beukes