geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Apache Geronimo Wiki] Updated: Security
Date Sat, 20 Nov 2004 19:17:41 GMT
   Date: 2004-11-20T11:17:41
   Editor: AaronMulder <>
   Wiki: Apache Geronimo Wiki
   Page: Security

   no comment

Change Log:

@@ -116,6 +116,7 @@
    * One that rejects logins for a user after X unsuccessful attempts (in a row or in Y minutes)
    * One that validates against an LDAP login domain
    * One that validates client certificates against a particular certificate authority
+ * The {{{SQLLoginModule}}} needs to be updated to execute user-specific queries instead
of loading the entire list of users and groups every time
  * The current {{{RealmPrincipal}}} gets the security realm name, whereas it really should
get the login domain name
  * Therefore, we need to be able to specify a login domain name for every login module
  * Role mapping needs to change to support login domain names
@@ -123,11 +124,11 @@
    * You should be able to specify more than one default principal; for example, you might
want the default (unauthenticated) subject to get one user principal and two group principals
  * Auto-mapping of principals to groups needs to be enhanced (better configuration, etc.)
  * The client-side Subject should be given all the Principals generated by server-side login
modules (but not {{{RealmPrincipal}}}s).  There should be a configuration option to disable
+ * Maybe automatically return the server-side Subject for server-side usage of {{{JaasLoginCoordinator}}}
  * The old functionality to get a list of all available users and groups from a security
realm has been broken.  It needs to be brought back in the form of a helper class that can
be configured on the {{{GenericSecurityRealm}}}, but they need to handle arbitrary principal
classes (not just "users" and "groups").
  * Replace the static registration with {{{GeronimoLoginConfiguration}}} with an IOC assignment
of GLC to each security realm (or better yet, vice versa).
  * Update {{{geronimo-jetty.xml}}} to have the name of the security realm that Jetty should
use to authenticate to.  Currently that's in a separate GBean, which is kind of icky and is
subject to naming collisions across web apps
  * Handle user-provided {{{CallbackHandler}}}s in J2EE client applications
- * Maybe automatically return the server-side Subject for server-side usage of {{{JaasLoginCoordinator}}}
  * Add some kind of fancier validator object to a {{{SecurityRealm}}} that can enforce rules
like "user only valid between 9 and 5".  It can't only reject new logins; it must also terminate
an existing valid login at the appropriate time.  It's not clear how to do this right.  This
would replace the previous ability to set a realm-specific max login duration.
  * Potentially replace realm bridges with connector-specific {{{LoginModule}}} classes that
just add additional Principals to the Subject at the initial authentication time.
  * We need more tests of all this functionality

View raw message