users@glassfish.java.net

Re: JAAS, LoginContext and Glassfish

From: <glassfish_at_javadesktop.org>
Date: Fri, 15 Aug 2008 03:53:52 PDT

I must admit, currently I am a bit disappointed with Glassfish due to how JAAS is handled.

It seems a portable implantation is not possible because of having to extend AppservPasswordLoginModule and not LoginModule. This means I will have to change the code if I move to JBoss. Being able to run on both is a requirement at this point. Not only this, but extending the above mentioned class severely limits how much the login process can be customised.

Maybe I am not understanding the underlying technologies. Here is what I planned to do but it seems it will not be possible (any advice/correction would be appreciated):

I wanted to protect my EJB methods using @RolesAllowed. From the little information I could find about JACC I assumed I can implement a custom version that would decide if the user logged in has the required roles to execute the method. By extending EJBMethodPermission.

I was hopping to extend Principle to indicate for which client this principle applied, eg. User has create_lollypop role for client a but not for client b. So the principle would containt the role name and the client name.

The extended EJBMethodPermission would then be able to check the role and client.

That was the idea. I believe it would be possible on Jboss or worst case scenario manipulate the Principles depending on which client the user selected.

Neither of these seem to be a possibility for Glassfish due to the limiting requirements.

Am I correct in how I understand the technologies?
Am I using the correct tech for the problem or should I move to acegi or jguard or something else?

Any help/criticism would be appreciated.
[Message sent by forum member 'drfranknfurter' (drfranknfurter)]

http://forums.java.net/jive/thread.jspa?messageID=293534