The only issue with this is that the JaasSecurityManager is not considered
a public API for which compatability between releases is a consideration.
Your subclass of JaasSecurityManager may not work in latter releases.
The public API for use with JaasSecurityManager is simply the JAAS
login module api.
----- Original Message -----
From: "Konstantin Priblouda" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, June 29, 2001 9:59 AM
Subject: Re: [JBoss-user] Security in Jboss ( JaasSecurityManager ) - question to
developers. Maybe RFE
>
> --- Scott M Stark <[EMAIL PROTECTED]> wrote:
> > What your doing is correct, that is just a bug in
> > the handling of the null
> > credential. I have fixed this in main.
> >
> > In 2.4 there is an ability to set the principal of
> > an unauthenticated user,
> > but you cannot assign roles to it. It is not for
> > allowing unauthenticated
> > users access to secured beans. Rather it is for
> > assigning the principal
> > an unsecured bean would see by obtaining the caller
> > principal when
> > called by an unauthenticated user.
> >
> > You could come up with a generic
> > UnauthenticatedLoginModule that
> > would allow for the specification of the principal
> > and roles that could
> > be inserted into a domain's login configuration when
> > unauthenticated
> > users should be given default capabilities.
>
> I looked at the issue today. What I need is a weirds
> dead authentication schema. ( Bug banks like a lot of
> security :) )
>
> Due of complexity of password and principal
> management, I like to handle login via session bean.
> ( I have different kinds of users, where different
> login contexts ( web contexts ) could possibly have
> the same login names.
>
> So I have principal bean which manages passwords and
> is user ID, and of course couple of beans mapping it
> to login names.
>
> Authentication from web context will be done through
> session bean (and this will be different context
> than ejb security context), and because all beans
> require at least some role to be accessed,
> I will subclass JAAS security manager to give role
> "nobody" even without any credentials/principals
> ( what happens when unauthenticated web user tries to
> access a bean )
>
> Login modules which are used to authenticate web-users
> will modify principal to hold ID of principal bean,
> and this ID along with password will be propagated
> to the ejb security context on EJB invocation.
>
> Then it will be checked by another login module.
>
> Do you see any problems with such setup?
>
> After all I'll try to write short tutorial...
>
> regards,
>
>
> =====
> Konstantin Priblouda ( ko5tik ) Freelance Software developer
> < http://www.pribluda.de > < play java games -> http://www.yook.de >
> < render charts online -> http://www.pribluda.de/povray/ >
>
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
