I think this is the page that David mentioned: http://cwiki.apache.org/GMOxDOC22/configuring-login-modules.html
Jeff C On Tue, Sep 15, 2009 at 4:56 AM, Quintin Beukes <[email protected]>wrote: > For interest sake, how would you use this to implement the below? > > If you have a doc specifying this, can you send me the link. This > explanation made it sound interesting, as I myself have wondered about > the WrappingLoginModule. > > Q > > On Mon, Sep 14, 2009 at 6:42 PM, David Jencks <[email protected]> > wrote: > > > > On Sep 14, 2009, at 12:51 AM, Ivan wrote: > > > >> Hi > >> In the LoginModuleGBean, there is an attribute named loginDomainName, I > >> went through the codes, just found that while the WrappingLoginModule is > >> turned on, those domainNames are used in the Subject as DomainPrincipal. > >> Except for this, is there any use for those loginDomainNames ? And, I > did > >> not found any example for WrappingLoginModule, so when we would use it ? > >> Thanks ! > > > > I thought this was documented somewhere, but I could easily be wrong, and > > the explanation might not include enough info for anyone to know why... > > > > Most people use the simplest form of principal-role mapping, where you > > specify the class and name of the actual Principal from the login module > you > > specify. However, it's possible to think up more complicated scenarios > > where this is not enough to identify the principal for the principal-role > > mapping. > > > > lets suppose you have an ejb app C with 2 web apps A and B in front of > it. > > Your ejb app has 2 roles r1 and r2. You have two legacy security > systems > > S1 and S2 with proprietary login modules that both happen to supply the > same > > principal class. You need to use S1 with A and S2 with B. S1 and S2 > both > > provide principals with names "g1" and "g2" but the meaning is > opposite..... > > you need > > > > For S1 and A, > > "g1" > r1 > > "g2" > r2 > > > > but for S2 and B, > > "g1" > r2 > > "g2" > r1 > > > > So, you need more information to distinguish the principals so you can > map > > them to the correct roles. Geronimo lets you wrap the original > principals > > with a wrapper that contains a name of the login module "loginDomainName" > > and the name of the security realm, and the principal-role mapping can > > specify these as well. You'd use the loginDomainName if you set up a > single > > security realm that includes the login modules for S1 and S2, and the > > security realm if you set up two separate security realms. > > > > I don't know if anyone has used this or ever will, but we thought we'd be > > thorough. > > > > thanks > > david jencks > > > >> -- > >> Ivan > > > > > > > > -- > Quintin Beukes >
