Chapter 18. Role-Based Security in Applications

18.1. About the Security Extension Architecture

The architecture of the JBoss EAP 6 security extensions consists of three parts. These three parts connect your application to your underlying security infrastructure, whether it is LDAP, Kerberos, or another external system.

JAAS

The first part of the infrastructure is the JAAS API. JAAS is a pluggable framework which provides a layer of abstraction between your security infrastructure and your application.

The main implementation in JAAS is org.jboss.security.plugins.JaasSecurityManager, which implements the AuthenticationManager and RealmMapping interfaces. JaasSecurityManager integrates into the EJB and web container layers, based on the <security-domain> element of the corresponding component deployment descriptor.

For more information about JAAS, refer to Section 18.2, “Java Authentication and Authorization Service (JAAS)”.

The JaasSecurityManagerService MBean

The JaasSecurityManagerService MBean service manages security managers. Although its name begins with Jaas, the security managers it handles need not use JAAS in their implementation. The name reflects the fact that the default security manager implementation is the JaasSecurityManager.

The primary role of the JaasSecurityManagerService is to externalize the security manager implementation. You can change the security manager implementation by providing an alternate implementation of the AuthenticationManager and RealmMapping interfaces.

The second fundamental role of the JaasSecurityManagerService is to provide a JNDI javax.naming.spi.ObjectFactory implementation to allow for simple code-free management of the binding between the JNDI name and the security manager implementation. To enable security, specify the JNDI name of the security manager implementation via the <security-domain> deployment descriptor element.

When you specify a JNDI name, an object-binding needs to already exist. To simplify the setup of the binding between the JNDI name and security manager, the JaasSecurityManagerService binds a next naming system reference, nominating itself as the JNDI ObjectFactory under the name java:/jaas. This permits a naming convention of the form java:/jaas/XYZ as the value for the <security-domain> element, and the security manager instance for the XYZ security domain is created as needed, by creating an instance of the class specified by the SecurityManagerClassName attribute, using a constructor that takes the name of the security domain.

Note

You do not need to include the java:/jaas prefix in your deployment descriptor. You may do so, for backward compatibility, but it is ignored.

The JaasSecurityDomain MBean

The org.jboss.security.plugins.JaasSecurityDomain is an extension of JaasSecurityManager which adds the notion of a KeyStore, a KeyManagerFactory, and a TrustManagerFactory for supporting SSL and other cryptographic use cases.

Further information

For more information, and practical examples of the security architecture in action, refer to Section 18.3, “About Java Authentication and Authorization Service (JAAS)”.

Report a bug

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

Chapter 18. Role-Based Security in Applications

18.1. About the Security Extension Architecture

Where did the comment section go?