On Sep 14, 2009, at 12:51 AM, Ivan wrote:
Hi
In the LoginModuleGBean, there is an attribute named
loginDomainName, I went through the codes, just found that while the
WrappingLoginModule is turned on, those domainNames are used in the
Subject as DomainPrincipal. Except for this, is there any use for
those loginDomainNames ? And, I did not found any example for
WrappingLoginModule, so when we would use it ?
Thanks !
I thought this was documented somewhere, but I could easily be wrong,
and the explanation might not include enough info for anyone to know
why...
Most people use the simplest form of principal-role mapping, where you
specify the class and name of the actual Principal from the login
module you specify. However, it's possible to think up more
complicated scenarios where this is not enough to identify the
principal for the principal-role mapping.
lets suppose you have an ejb app C with 2 web apps A and B in front of
it. Your ejb app has 2 roles r1 and r2. You have two legacy security
systems S1 and S2 with proprietary login modules that both happen to
supply the same principal class. You need to use S1 with A and S2
with B. S1 and S2 both provide principals with names "g1" and "g2"
but the meaning is opposite..... you need
For S1 and A,
"g1" > r1
"g2" > r2
but for S2 and B,
"g1" > r2
"g2" > r1
So, you need more information to distinguish the principals so you can
map them to the correct roles. Geronimo lets you wrap the original
principals with a wrapper that contains a name of the login module
"loginDomainName" and the name of the security realm, and the
principal-role mapping can specify these as well. You'd use the
loginDomainName if you set up a single security realm that includes
the login modules for S1 and S2, and the security realm if you set up
two separate security realms.
I don't know if anyone has used this or ever will, but we thought we'd
be thorough.
thanks
david jencks
--
Ivan
