For interest sake, how would you use this to implement the below? If you have a doc specifying this, can you send me the link. This explanation made it sound interesting, as I myself have wondered about the WrappingLoginModule.
Q On Mon, Sep 14, 2009 at 6:42 PM, David Jencks <[email protected]> wrote: > > On Sep 14, 2009, at 12:51 AM, Ivan wrote: > >> Hi >> In the LoginModuleGBean, there is an attribute named loginDomainName, I >> went through the codes, just found that while the WrappingLoginModule is >> turned on, those domainNames are used in the Subject as DomainPrincipal. >> Except for this, is there any use for those loginDomainNames ? And, I did >> not found any example for WrappingLoginModule, so when we would use it ? >> Thanks ! > > I thought this was documented somewhere, but I could easily be wrong, and > the explanation might not include enough info for anyone to know why... > > Most people use the simplest form of principal-role mapping, where you > specify the class and name of the actual Principal from the login module you > specify. However, it's possible to think up more complicated scenarios > where this is not enough to identify the principal for the principal-role > mapping. > > lets suppose you have an ejb app C with 2 web apps A and B in front of it. > Your ejb app has 2 roles r1 and r2. You have two legacy security systems > S1 and S2 with proprietary login modules that both happen to supply the same > principal class. You need to use S1 with A and S2 with B. S1 and S2 both > provide principals with names "g1" and "g2" but the meaning is opposite..... > you need > > For S1 and A, > "g1" > r1 > "g2" > r2 > > but for S2 and B, > "g1" > r2 > "g2" > r1 > > So, you need more information to distinguish the principals so you can map > them to the correct roles. Geronimo lets you wrap the original principals > with a wrapper that contains a name of the login module "loginDomainName" > and the name of the security realm, and the principal-role mapping can > specify these as well. You'd use the loginDomainName if you set up a single > security realm that includes the login modules for S1 and S2, and the > security realm if you set up two separate security realms. > > I don't know if anyone has used this or ever will, but we thought we'd be > thorough. > > thanks > david jencks > >> -- >> Ivan > > -- Quintin Beukes
