Chapter 18. Role-Based Security in Applications
18.1. About the Security Extension Architecture
The first part of the infrastructure is the JAAS API. JAAS is a pluggable framework which provides a layer of abstraction between your security infrastructure and your application.
org.jboss.security.plugins.JaasSecurityManager, which implements the
JaasSecurityManager integrates into the EJB and web container layers, based on the
<security-domain> element of the corresponding component deployment descriptor.
JaasSecurityManagerService MBean service manages security managers. Although its name begins with Jaas, the security managers it handles need not use JAAS in their implementation. The name reflects the fact that the default security manager implementation is the
JaasSecurityManagerService is to externalize the security manager implementation. You can change the security manager implementation by providing an alternate implementation of the
JaasSecurityManagerService is to provide a JNDI
javax.naming.spi.ObjectFactory implementation to allow for simple code-free management of the binding between the JNDI name and the security manager implementation. To enable security, specify the JNDI name of the security manager implementation via the
<security-domain> deployment descriptor element.
JaasSecurityManagerService binds a next naming system reference, nominating itself as the JNDI
ObjectFactory under the name
java:/jaas. This permits a naming convention of the form
java:/jaas/XYZ as the value for the
<security-domain> element, and the security manager instance for the
XYZ security domain is created as needed, by creating an instance of the class specified by the
SecurityManagerClassName attribute, using a constructor that takes the name of the security domain.
java:/jaas prefix in your deployment descriptor. You may do so, for backward compatibility, but it is ignored.
org.jboss.security.plugins.JaasSecurityDomain is an extension of
JaasSecurityManager which adds the notion of a
KeyManagerFactory, and a
TrustManagerFactory for supporting SSL and other cryptographic use cases.
For more information, and practical examples of the security architecture in action, refer to Section 18.3, “About Java Authentication and Authorization Service (JAAS)”.