[Jboss-dev-forums] [Design of Security on JBoss] - Re: Authorization framework

[<ani...@jb...>]

For the web layer, currently we have multiple JBoss realms namely JBossSecurityMgrRealm, JaccAuthorizationRealm (maybe more in future??) that have a variance in how they do authorization only.

I would like to unify these realms into a single realm called as JBossRealm in which the authorization decisions for (hasResourcePermission, hasRole and hasUserDataPermission) will be delegated to the authorization framework(Authorization Modules that do default web behavior, jacc behavior, xacml behavior or custom authz behavior will drive the decision).  

To this end, I am planning to define a separate security domain for the realm (not to mix with the application defined realm).  The authentication process still happens based on the app specified security domain, via the security manager obtained through the jndi binding.

This separate security domain will have the authorization module that defines the default tomcat authorization logic (replacable with a module that does jacc).

Questions:
1) Any issues in unification of the realm?
2) Will the separate security domain confuse the user? If not, we will have to force them to add the default web authorization module to their security domain.



View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3956614#3956614

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3956614