You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by Ivan <xh...@gmail.com> on 2009/09/14 09:51:22 UTC
The setting of LoginDomainName attribute of the LoginModuleGBean
Hi
In the LoginModuleGBean, there is an attribute named loginDomainName, I
went through the codes, just found that while the WrappingLoginModule is
turned on, those domainNames are used in the Subject as DomainPrincipal.
Except for this, is there any use for those loginDomainNames ? And, I did
not found any example for WrappingLoginModule, so when we would use it ?
Thanks !
--
Ivan
Re: The setting of LoginDomainName attribute of the LoginModuleGBean
Posted by chi runhua <ch...@gmail.com>.
I think this is the page that David mentioned:
http://cwiki.apache.org/GMOxDOC22/configuring-login-modules.html
Jeff C
On Tue, Sep 15, 2009 at 4:56 AM, Quintin Beukes <qu...@skywalk.co.za>wrote:
> For interest sake, how would you use this to implement the below?
>
> If you have a doc specifying this, can you send me the link. This
> explanation made it sound interesting, as I myself have wondered about
> the WrappingLoginModule.
>
> Q
>
> On Mon, Sep 14, 2009 at 6:42 PM, David Jencks <da...@yahoo.com>
> wrote:
> >
> > On Sep 14, 2009, at 12:51 AM, Ivan wrote:
> >
> >> Hi
> >> In the LoginModuleGBean, there is an attribute named loginDomainName, I
> >> went through the codes, just found that while the WrappingLoginModule is
> >> turned on, those domainNames are used in the Subject as DomainPrincipal.
> >> Except for this, is there any use for those loginDomainNames ? And, I
> did
> >> not found any example for WrappingLoginModule, so when we would use it ?
> >> Thanks !
> >
> > I thought this was documented somewhere, but I could easily be wrong, and
> > the explanation might not include enough info for anyone to know why...
> >
> > Most people use the simplest form of principal-role mapping, where you
> > specify the class and name of the actual Principal from the login module
> you
> > specify. However, it's possible to think up more complicated scenarios
> > where this is not enough to identify the principal for the principal-role
> > mapping.
> >
> > lets suppose you have an ejb app C with 2 web apps A and B in front of
> it.
> > Your ejb app has 2 roles r1 and r2. You have two legacy security
> systems
> > S1 and S2 with proprietary login modules that both happen to supply the
> same
> > principal class. You need to use S1 with A and S2 with B. S1 and S2
> both
> > provide principals with names "g1" and "g2" but the meaning is
> opposite.....
> > you need
> >
> > For S1 and A,
> > "g1" > r1
> > "g2" > r2
> >
> > but for S2 and B,
> > "g1" > r2
> > "g2" > r1
> >
> > So, you need more information to distinguish the principals so you can
> map
> > them to the correct roles. Geronimo lets you wrap the original
> principals
> > with a wrapper that contains a name of the login module "loginDomainName"
> > and the name of the security realm, and the principal-role mapping can
> > specify these as well. You'd use the loginDomainName if you set up a
> single
> > security realm that includes the login modules for S1 and S2, and the
> > security realm if you set up two separate security realms.
> >
> > I don't know if anyone has used this or ever will, but we thought we'd be
> > thorough.
> >
> > thanks
> > david jencks
> >
> >> --
> >> Ivan
> >
> >
>
>
>
> --
> Quintin Beukes
>
Re: The setting of LoginDomainName attribute of the LoginModuleGBean
Posted by Quintin Beukes <qu...@skywalk.co.za>.
For interest sake, how would you use this to implement the below?
If you have a doc specifying this, can you send me the link. This
explanation made it sound interesting, as I myself have wondered about
the WrappingLoginModule.
Q
On Mon, Sep 14, 2009 at 6:42 PM, David Jencks <da...@yahoo.com> wrote:
>
> On Sep 14, 2009, at 12:51 AM, Ivan wrote:
>
>> Hi
>> In the LoginModuleGBean, there is an attribute named loginDomainName, I
>> went through the codes, just found that while the WrappingLoginModule is
>> turned on, those domainNames are used in the Subject as DomainPrincipal.
>> Except for this, is there any use for those loginDomainNames ? And, I did
>> not found any example for WrappingLoginModule, so when we would use it ?
>> Thanks !
>
> I thought this was documented somewhere, but I could easily be wrong, and
> the explanation might not include enough info for anyone to know why...
>
> Most people use the simplest form of principal-role mapping, where you
> specify the class and name of the actual Principal from the login module you
> specify. However, it's possible to think up more complicated scenarios
> where this is not enough to identify the principal for the principal-role
> mapping.
>
> lets suppose you have an ejb app C with 2 web apps A and B in front of it.
> Your ejb app has 2 roles r1 and r2. You have two legacy security systems
> S1 and S2 with proprietary login modules that both happen to supply the same
> principal class. You need to use S1 with A and S2 with B. S1 and S2 both
> provide principals with names "g1" and "g2" but the meaning is opposite.....
> you need
>
> For S1 and A,
> "g1" > r1
> "g2" > r2
>
> but for S2 and B,
> "g1" > r2
> "g2" > r1
>
> So, you need more information to distinguish the principals so you can map
> them to the correct roles. Geronimo lets you wrap the original principals
> with a wrapper that contains a name of the login module "loginDomainName"
> and the name of the security realm, and the principal-role mapping can
> specify these as well. You'd use the loginDomainName if you set up a single
> security realm that includes the login modules for S1 and S2, and the
> security realm if you set up two separate security realms.
>
> I don't know if anyone has used this or ever will, but we thought we'd be
> thorough.
>
> thanks
> david jencks
>
>> --
>> Ivan
>
>
--
Quintin Beukes
Re: The setting of LoginDomainName attribute of the LoginModuleGBean
Posted by David Jencks <da...@yahoo.com>.
On Sep 14, 2009, at 12:51 AM, Ivan wrote:
> Hi
> In the LoginModuleGBean, there is an attribute named
> loginDomainName, I went through the codes, just found that while the
> WrappingLoginModule is turned on, those domainNames are used in the
> Subject as DomainPrincipal. Except for this, is there any use for
> those loginDomainNames ? And, I did not found any example for
> WrappingLoginModule, so when we would use it ?
> Thanks !
I thought this was documented somewhere, but I could easily be wrong,
and the explanation might not include enough info for anyone to know
why...
Most people use the simplest form of principal-role mapping, where you
specify the class and name of the actual Principal from the login
module you specify. However, it's possible to think up more
complicated scenarios where this is not enough to identify the
principal for the principal-role mapping.
lets suppose you have an ejb app C with 2 web apps A and B in front of
it. Your ejb app has 2 roles r1 and r2. You have two legacy security
systems S1 and S2 with proprietary login modules that both happen to
supply the same principal class. You need to use S1 with A and S2
with B. S1 and S2 both provide principals with names "g1" and "g2"
but the meaning is opposite..... you need
For S1 and A,
"g1" > r1
"g2" > r2
but for S2 and B,
"g1" > r2
"g2" > r1
So, you need more information to distinguish the principals so you can
map them to the correct roles. Geronimo lets you wrap the original
principals with a wrapper that contains a name of the login module
"loginDomainName" and the name of the security realm, and the
principal-role mapping can specify these as well. You'd use the
loginDomainName if you set up a single security realm that includes
the login modules for S1 and S2, and the security realm if you set up
two separate security realms.
I don't know if anyone has used this or ever will, but we thought we'd
be thorough.
thanks
david jencks
> --
> Ivan