Daniel Schulze wrote:
DS> But of course there are a lot of things left to do:
Sure.
DS> 1. Documentation
DS> Oleg, do you already have something like that? If so, could you forward
DS> it?
Look at
http://www.mail-archive.com/[email protected]/msg04170.html
This is all that I have written
(oh, and also comments in auth.conf :-)
I know, that I should write more...
Any help is appreciated. You now, my English is rather bad, so I'd
prefer that somebody else write the official jBoss manual on security.
DS> 2. the SecurityAssociation
DS> ... on the client side works global (static) to follow the idea of jaas
No, this is the original design by Dan O'Connor, who didn't take care
about JAAS, I guess :-)
I hope you are aware that JAAS use is not mandatory,
one can use the security interfaces from org.jboss.system directly.
DS> it should work thread based, so the principal/credential should be
DS> ThreadLocal on the client side too.
Why? A client with multiple identities? Schizophrenic????
DS> Furthermore would I suggest to take the principal/credential information
DS> somehow from the Subject that is currently executing the thread and not
DS> to put it into a static place from within the LoginModule. I dont know
DS> yet how Tomcat works with that but I will have a look at it right now..
Oh, I see: you take care about Tomcat.
Well, I don't know details, but I remember that both Dan O'Connor
and Kevin Lewis have done jBoss+Tomcat "security integration" and they
haven't mentioned about any problems with static principal on client.
DS> 3. JRMP over SSL?
That's really important!
I don't know much on this topic, and I rely on you.
4. Implementation of isCallerInRole()
5. Use of the "principal for beans" in getCallerPrincipal()
(now the "original principal" it used there)
6. Secondary realm mapping: the set of roles for beans to be defined
by (XML) file in terms of the roles of some primary realm mapping.
This can be done as a "secondary" LoginModule that would be executed
after the "primary" LoginModule and change the set of Credentials
(roles) following the given rules.
Best regards,
Oleg
