Chapter 18. Role-Based Security in Applications
18.1. About the Security Extension Architecture
The first part of the infrastructure is the JAAS API. JAAS is a pluggable framework which provides a layer of abstraction between your security infrastructure and your application.
org.jboss.security.plugins.JaasSecurityManager, which implements the
JaasSecurityManagerintegrates into the EJB and web container layers, based on the
<security-domain>element of the corresponding component deployment descriptor.
JaasSecurityManagerService MBean service manages security managers. Although its name begins with Jaas, the security managers it handles need not use JAAS in their implementation. The name reflects the fact that the default security manager implementation is the
JaasSecurityManagerServiceis to externalize the security manager implementation. You can change the security manager implementation by providing an alternate implementation of the
JaasSecurityManagerServiceis to provide a JNDI
javax.naming.spi.ObjectFactoryimplementation to allow for simple code-free management of the binding between the JNDI name and the security manager implementation. To enable security, specify the JNDI name of the security manager implementation via the
<security-domain>deployment descriptor element.
JaasSecurityManagerServicebinds a next naming system reference, nominating itself as the JNDI
ObjectFactoryunder the name
java:/jaas. This permits a naming convention of the form
java:/jaas/XYZas the value for the
<security-domain>element, and the security manager instance for the
XYZsecurity domain is created as needed, by creating an instance of the class specified by the
SecurityManagerClassNameattribute, using a constructor that takes the name of the security domain.
java:/jaasprefix in your deployment descriptor. You may do so, for backward compatibility, but it is ignored.
org.jboss.security.plugins.JaasSecurityDomain is an extension of
JaasSecurityManager which adds the notion of a
KeyManagerFactory, and a
TrustManagerFactory for supporting SSL and other cryptographic use cases.
For more information, and practical examples of the security architecture in action, refer to Section 18.3, “About Java Authentication and Authorization Service (JAAS)”.