Hi Scott,
If I understand you propose the diagram for security documentation for
jBoss site, right? Then send it directly to Marc :-)
BTW, I draw sequence diagrams during the discussion of JAAS security
in jBoss mailing list, see
http://www.mail-archive.com/[email protected]/msg03477.html
:-)
It is somewhat outdated, though. Things were changed after
the discussion with Dan. The server part was made stateless.
In particular, there is no logout now.
Oleg
Scott M Stark wrote:
SMS> A little contribution to this security discussion. I have created a sequence
diagram showing
SMS> the steps involved with the client's setup of the security context used for the
jBoss
SMS> calls. This only includes the org.jboss.security.ClientLoginModule and the diagram
SMS> shows that this module just sets up the jboss client side environment to marshall
the
SMS> Principal and password obtained from the CallbackHandler implemented by the
SMS> client application. Most likely one would have a second LoginModule implementation
SMS> to validate the credentials rather than waiting for calls to fail when any server
side
SMS> LoginModule performs validation(at least I would).
SMS> One this I saw in going through the ClientLoginModule is that the logout() method
SMS> does not clear the SecurityAssociation state as the abort() method does. This
means
SMS> that once the user has performed a login(), they remain that user for the
duration of
SMS> client, even after a logout(). Shouldn't logout() clear the SecurityAssociation
state as well?
SMS> PS, the list won't allow attachments to be sent so where should I place the
diagram? As
SMS> a documentation bug attachment?
SMS> --
SMS> --------------------------------------------------------------
SMS> To subscribe: [EMAIL PROTECTED]
SMS> To unsubscribe: [EMAIL PROTECTED]
SMS> Problems?: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
