Can JAAS security domain info only be specified in server specific deployment descriptors?_问答_开发者

Can JAAS security domain info only be specified in server specific deployment descriptors?

开发者 https://www.devze.com 2023-03-16 00:50 出处：网络

I\'m doing form-based authentication in JSF and I can get it to work but it requires a server specific deployment descriptor to specify the JAAS security domain info.

I'm doing form-based authentication in JSF and I can get it to work but it requires a server specific deployment descriptor to specify the JAAS security domain info.

eg. on JBoss 6 I need a WEB-INF/jboss-web.xml with the following:

<jboss-web>
    <security-domain>java:/jaas/myAppDomain</security-domain>
</jboss-web>

On glassfish something similar needs to be in WEB-INF/sun-web.xml instead.

Is there a vendor neutral 开发者_Go百科way to do this in EE6 ? And if no then why ?

Is there a vendor neutral way to do this in EE6 ?

Yes, there is. You'll need to specify the realm name in the web.xml file, in a manner similar to the one shown below:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
...
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>myRealm</realm-name> <!-- the name of the realm created in the application server should be specified here -->
        <form-login-config>
            <form-login-page>/login.xhtml</form-login-page>
            <form-error-page>/login-error.xhtml</form-error-page>
        </form-login-config>
    </login-config>
...
</web-app>

The above works in Glassfish without any entries in sun-web.xml, except for the role to group mapping (that is used for enforcing authorization constraints).

Specifying the security-domain element in the JBoss deployment descriptor is a better approach when you have a web module and an EJB module that must use principals from only one Security Manager in JBoss (and the equivalent implementations in other containers).

Given how JAAS login modules work and that one cannot specify a realm for authentication in ejb-jar.xml, it is quite possible that the EJB container will permit a business method invocation based on successful authentication response from a different Login Module (than what you intended). This would mean that a user in a different realm but the same group (mapped to the permitted role for the business method) is capable of invoking the business method. It is to avoid this scenario that one would specify the security domain in the vendor-specific deployment descriptor.

Note - I'm unsure of the behavior of the container in choosing a JAAS Login Module for EJBs deployed in a WAR.