Chapter 18. Role-Based Security in Applications

18.1. About the Security Extension Architecture

The architecture of the JBoss EAP 6 security extensions consists of three parts. These three parts connect your application to your underlying security infrastructure, whether it is LDAP, Kerberos, or another external system.
JAAS

The first part of the infrastructure is the JAAS API. JAAS is a pluggable framework which provides a layer of abstraction between your security infrastructure and your application.

The main implementation in JAAS is org.jboss.security.plugins.JaasSecurityManager, which implements the AuthenticationManager and RealmMapping interfaces. JaasSecurityManager integrates into the EJB and web container layers, based on the <security-domain> element of the corresponding component deployment descriptor.
The JaasSecurityManagerService MBean

The JaasSecurityManagerService MBean service manages security managers. Although its name begins with Jaas, the security managers it handles need not use JAAS in their implementation. The name reflects the fact that the default security manager implementation is the JaasSecurityManager.

The primary role of the JaasSecurityManagerService is to externalize the security manager implementation. You can change the security manager implementation by providing an alternate implementation of the AuthenticationManager and RealmMapping interfaces.
The second fundamental role of the JaasSecurityManagerService is to provide a JNDI javax.naming.spi.ObjectFactory implementation to allow for simple code-free management of the binding between the JNDI name and the security manager implementation. To enable security, specify the JNDI name of the security manager implementation via the <security-domain> deployment descriptor element.
When you specify a JNDI name, an object-binding needs to already exist. To simplify the setup of the binding between the JNDI name and security manager, the JaasSecurityManagerService binds a next naming system reference, nominating itself as the JNDI ObjectFactory under the name java:/jaas. This permits a naming convention of the form java:/jaas/XYZ as the value for the <security-domain> element, and the security manager instance for the XYZ security domain is created as needed, by creating an instance of the class specified by the SecurityManagerClassName attribute, using a constructor that takes the name of the security domain.

Note

You do not need to include the java:/jaas prefix in your deployment descriptor. You may do so, for backward compatibility, but it is ignored.
The JaasSecurityDomain MBean

The org.jboss.security.plugins.JaasSecurityDomain is an extension of JaasSecurityManager which adds the notion of a KeyStore, a KeyManagerFactory, and a TrustManagerFactory for supporting SSL and other cryptographic use cases.

Further information

For more information, and practical examples of the security architecture in action, refer to Section 18.3, “About Java Authentication and Authorization Service (JAAS)”.