> -----Original Message-----
> From: David Jencks [mailto:[EMAIL PROTECTED]
>
> I think so.
>
> However, I'm pretty confused at the moment by all the different
> concepts around security. If you could spend a few minutes and
explain
> how
> contextID
> realm
> role
> principal
> permission
>
> relate I'd really appreciate it. In particular I really don't
> understand how realms and contextIDs relate and may have put the wrong
> call in the EJBModuleDeploymentPlanner.
This can be split up into two parts, Authentication and Authorization.
On the authentication side, Security realms provide LoginModules that
populate Subjects w/ their principals. Geronimo wraps theses
LoginModules with its own so that it can register the Subjects and
perform various optimization; I was thinking that it would be a good
idea to allow non-Geronimo LoginModules.
Authorization is handled by PolicyConfigurations; these are indexed by
context ids which uniquely identify a deployed application. Roles and
their permissions are registered w/ the PolicyConfiguration. I have
further extended this so that principals can be mapped to roles and
then, as an optimization, principals are mapped to permissions.
Your call in EJBModuleDeploymentPlanner looks fine to me. The policy
configurations are obtained from the PolicyConfigurationFactory. You
must register the factory in the system properties:
System.setProperty("javax.security.jacc.PolicyConfigurationFactory.provi
der",
"org.apache.geronimo.security.GeronimoPolicyConfigurationFactory");
I'm thinking that the best place to do this is in the SecurityService so
that it can be configured to use third party security
PolicyConfigurations.
> When a call comes in from the outside world, how is the realm
> determined?
This is a question that is pregnant w/ scenarios. The easiest is w/ an
InitialContext. We can make add a realm property key, e.g.
org.apache.geronimo.realm, for login to take place when obtaining a JNDI
context. For other scenarios, we'll need principal mappers; I should
point out that the Geronimo login wrapper copies the principals that
were created by the security realm logins and places them into special
principals that have realm information, i.e. RealmPrincipal.
I hope that that makes sense.
Regards,
Alan
