Date: 2004-11-20T11:17:41
Editor: AaronMulder <[EMAIL PROTECTED]>
Wiki: Apache Geronimo Wiki
Page: Security
URL: http://wiki.apache.org/geronimo/Security
no comment
Change Log:
------------------------------------------------------------------------------
@@ -116,6 +116,7 @@
* One that rejects logins for a user after X unsuccessful attempts (in a
row or in Y minutes)
* One that validates against an LDAP login domain
* One that validates client certificates against a particular certificate
authority
+ * The {{{SQLLoginModule}}} needs to be updated to execute user-specific
queries instead of loading the entire list of users and groups every time
* The current {{{RealmPrincipal}}} gets the security realm name, whereas it
really should get the login domain name
* Therefore, we need to be able to specify a login domain name for every
login module
* Role mapping needs to change to support login domain names
@@ -123,11 +124,11 @@
* You should be able to specify more than one default principal; for
example, you might want the default (unauthenticated) subject to get one user
principal and two group principals
* Auto-mapping of principals to groups needs to be enhanced (better
configuration, etc.)
* The client-side Subject should be given all the Principals generated by
server-side login modules (but not {{{RealmPrincipal}}}s). There should be a
configuration option to disable this.
+ * Maybe automatically return the server-side Subject for server-side usage of
{{{JaasLoginCoordinator}}}
* The old functionality to get a list of all available users and groups from
a security realm has been broken. It needs to be brought back in the form of a
helper class that can be configured on the {{{GenericSecurityRealm}}}, but they
need to handle arbitrary principal classes (not just "users" and "groups").
* Replace the static registration with {{{GeronimoLoginConfiguration}}} with
an IOC assignment of GLC to each security realm (or better yet, vice versa).
* Update {{{geronimo-jetty.xml}}} to have the name of the security realm that
Jetty should use to authenticate to. Currently that's in a separate GBean,
which is kind of icky and is subject to naming collisions across web apps
* Handle user-provided {{{CallbackHandler}}}s in J2EE client applications
- * Maybe automatically return the server-side Subject for server-side usage of
{{{JaasLoginCoordinator}}}
* Add some kind of fancier validator object to a {{{SecurityRealm}}} that can
enforce rules like "user only valid between 9 and 5". It can't only reject new
logins; it must also terminate an existing valid login at the appropriate time.
It's not clear how to do this right. This would replace the previous ability
to set a realm-specific max login duration.
* Potentially replace realm bridges with connector-specific {{{LoginModule}}}
classes that just add additional Principals to the Subject at the initial
authentication time.
* We need more tests of all this functionality
