Security subsystem and its security-domain definitions in the servlet-distribution

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Security subsystem and its security-domain definitions in the servlet-distribution

Yeray Borges
Hello everyone,

I'm doing a comparison between the different server configuration files generated in normal distribution and servlet-distribution, basically working on [1].

The security subsystem in the servlet distribution does not have these security domains configured whereas they are in the normal distribution:

<subsystem xmlns="urn:jboss:domain:security:2.0">
    <security-domains>
           ...
    <security-domain name="jboss-web-policy" cache-type="default">
        <authorization>
            <policy-module code="Delegating" flag="required"/>
        </authorization>
    </security-domain>
    <security-domain name="jboss-ejb-policy" cache-type="default">
        <authorization>
            <policy-module code="Delegating" flag="required"/>
        </authorization>
    </security-domain>
    <security-domain name="jaspitest" cache-type="default">
        <authentication-jaspi>
            <login-module-stack name="dummy">
                <login-module code="Dummy" flag="optional"/>
            </login-module-stack>
            <auth-module code="Dummy"/>
        </authentication-jaspi>
    </security-domain>
<security-domains>


I understand jboss-ejb-policy should not be configured because the servlet-distribution does not use ejbs, but what about jaspitest?
I have no clue if it has to be included or not in the servlet-distribution.

Do you know if we should include it?

Regards,
Yeray

[1] https://issues.jboss.org/browse/WFLY-10421

_______________________________________________
wildfly-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/wildfly-dev
Reply | Threaded
Open this post in threaded view
|

Re: Security subsystem and its security-domain definitions in the servlet-distribution

arjan.tijms
Hi,

The jaspitest domain is to allow a (servlet) application to "activate" JASPIC and install JASPIC authentication modules without having to modify the server distribution.

For almost as long as JBoss supports JASPIC the promise has been that such explicit activation would some time in the future not be needed anymore. Initially the promise was that with Undertow this would be fixed, but when it wasn't Elytron would address it. Now that Elytron is there I'm not sure if it's indeed finally not needed anymore. Darran Lofthouse should be the one who knows.

If Elytron still requires the manual "activation" of JASPIC, then the jaspitest domain is likely needed. Both Tomcat and Jetty also support (the Servlet Container Profile of) JASPIC.

Kind regards,
Arjan




On Tue, Jun 19, 2018 at 3:54 PM Yeray Borges <[hidden email]> wrote:
Hello everyone,

I'm doing a comparison between the different server configuration files generated in normal distribution and servlet-distribution, basically working on [1].

The security subsystem in the servlet distribution does not have these security domains configured whereas they are in the normal distribution:

<subsystem xmlns="urn:jboss:domain:security:2.0">
    <security-domains>
           ...
    <security-domain name="jboss-web-policy" cache-type="default">
        <authorization>
            <policy-module code="Delegating" flag="required"/>
        </authorization>
    </security-domain>
    <security-domain name="jboss-ejb-policy" cache-type="default">
        <authorization>
            <policy-module code="Delegating" flag="required"/>
        </authorization>
    </security-domain>
    <security-domain name="jaspitest" cache-type="default">
        <authentication-jaspi>
            <login-module-stack name="dummy">
                <login-module code="Dummy" flag="optional"/>
            </login-module-stack>
            <auth-module code="Dummy"/>
        </authentication-jaspi>
    </security-domain>
<security-domains>


I understand jboss-ejb-policy should not be configured because the servlet-distribution does not use ejbs, but what about jaspitest?
I have no clue if it has to be included or not in the servlet-distribution.

Do you know if we should include it?

Regards,
Yeray

[1] https://issues.jboss.org/browse/WFLY-10421
_______________________________________________
wildfly-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/wildfly-dev

_______________________________________________
wildfly-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/wildfly-dev