Can JAAS security domain info only be specified in server specific deployment descriptors?
I'm doing form-based authentication in JSF and I can get it to work but it requires a server specific deployment descriptor to specify the JAAS security domain info.
eg. on JBoss 6 I need a WEB-INF/jboss-web.xml
with the following:
<jboss-web>
<security-domain>java:/jaas/myAppDomain</security-domain>
</jboss-web>
On glassfish something similar needs to be in WEB-INF/sun-web.xml
instead.
Is there a vendor neutral 开发者_Go百科way to do this in EE6 ? And if no then why ?
Is there a vendor neutral way to do this in EE6 ?
Yes, there is. You'll need to specify the realm name in the web.xml file, in a manner similar to the one shown below:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
...
<login-config>
<auth-method>FORM</auth-method>
<realm-name>myRealm</realm-name> <!-- the name of the realm created in the application server should be specified here -->
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/login-error.xhtml</form-error-page>
</form-login-config>
</login-config>
...
</web-app>
The above works in Glassfish without any entries in sun-web.xml, except for the role to group mapping (that is used for enforcing authorization constraints).
Specifying the security-domain
element in the JBoss deployment descriptor is a better approach when you have a web module and an EJB module that must use principals from only one Security Manager in JBoss (and the equivalent implementations in other containers).
Given how JAAS login modules work and that one cannot specify a realm for authentication in ejb-jar.xml
, it is quite possible that the EJB container will permit a business method invocation based on successful authentication response from a different Login Module (than what you intended). This would mean that a user in a different realm but the same group (mapped to the permitted role for the business method) is capable of invoking the business method. It is to avoid this scenario that one would specify the security domain in the vendor-specific deployment descriptor.
Note - I'm unsure of the behavior of the container in choosing a JAAS Login Module for EJBs deployed in a WAR.
精彩评论