users@glassfish.java.net

Re: Deploying JAAS modules in EAR

From: <glassfish_at_javadesktop.org>
Date: Wed, 24 Sep 2008 14:20:43 PDT

> I know that, in order to port this application to
> Glassfish I have to implement a new Login Module but
> reading the documentation it seems that the only way
> to successfully use my module is editing the
> Glassfish configuration files. Is there a way to
> include these configuration parts in the EAR and have
> them applied automatically like with JBoss?

Glassfish has been optimized for the opposite case; wherein new security mechanism can be applied to apps without having to repackage them or otherise perturb them.

Glassfish does provide api's that can be used to register a new authentication configuration system, but there is no native facility to intepret a (JAAS) configuration file embedded in your application.

If all of the authentication for your app will be done in the web tier, and if you want to use a JAAS login module to essentially validate a username and password, then you may find the Login Bridge Profile as defined in jsr 196 to facilitate something close to what you want to do. If your app has sufficient privileges (or the secuirtymanager is disabled), then your app should be able to register its own AuthConfigProvider (see the jsr 196 spec) during its initialization. The AuthConfigProvider could cause a SAM implementing the LoginBridgeProfile to be invoked by the container to perform authentication on behalf of your web app; or you could just have the SAM do all the work that you are currently doing in your LoginModule. Moreover, JBOSS has committed to completing its support for jsr 196, t which time, such a solution should work in both Glassfish and JBOSS, and eventually all web containers.

Ron

It sounds like the JBOSS container may have incorporated a custom JAAS configuration system that allows per application multiplexing of the config files.
Perhaps this can be done with the default JAAS configuration, by serializing through the LoginContext construction, and adding a new login.config.url.x property values (as defined in jre/lib/security/java.security prior to the LoginContext construction (for an app) and removing it imediatly after completing the construction.
[Message sent by forum member 'monzillo' (monzillo)]

http://forums.java.net/jive/thread.jspa?messageID=301385
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.