JBoss.org Community Documentation
If the login modules bundled with the JBossSX framework do not work with your security environment, you can write your own custom login module implementation that does. Recall from the section on the JaasSecurityManager
architecture that the JaasSecurityManager
expected a particular usage pattern of the Subject
principals set. You need to understand the JAAS Subject class's information storage features and the expected usage of these features to be able to write a login module that works with the JaasSecurityManager
. This section examines this requirement and introduces two abstract base LoginModule
implementations that can help you implement your own custom login modules.
You can obtain security information associated with a Subject
in six ways in JBoss using the following methods:
java.util.Set getPrincipals() java.util.Set getPrincipals(java.lang.Class c) java.util.Set getPrivateCredentials() java.util.Set getPrivateCredentials(java.lang.Class c) java.util.Set getPublicCredentials() java.util.Set getPublicCredentials(java.lang.Class c)
For Subject
identities and roles, JBossSX has selected the most natural choice: the principals sets obtained via getPrincipals()
and getPrincipals(java.lang.Class)
. The usage pattern is as follows:
User identities (username, social security number, employee ID, and so on) are stored as java.security.Principal
objects in the Subject
Principals
set. The Principal
implementation that represents the user identity must base comparisons and equality on the name of the principal. A suitable implementation is available as the org.jboss.security.SimplePrincipal
class. Other Principal
instances may be added to the Subject
Principals
set as needed.
The assigned user roles are also stored in the Principals
set, but they are grouped in named role sets using java.security.acl.Group
instances. The Group
interface defines a collection of Principal
s and/or Group
s, and is a subinterface of java.security.Principal
. Any number of role sets can be assigned to a Subject
. Currently, the JBossSX framework uses two well-known role sets with the names Roles
and CallerPrincipal
. The Roles
Group is the collection of Principal
s for the named roles as known in the application domain under which the Subject
has been authenticated. This role set is used by methods like the EJBContext.isCallerInRole(String)
, which EJBs can use to see if the current caller belongs to the named application domain role. The security interceptor logic that performs method permission checks also uses this role set. The CallerPrincipal
Group
consists of the single Principal
identity assigned to the user in the application domain. The EJBContext.getCallerPrincipal()
method uses the CallerPrincipal
to allow the application domain to map from the operation environment identity to a user identity suitable for the application. If a Subject
does not have a CallerPrincipal
Group
, the application identity is the same as operational environment identity.