Version 7
Created by starksm64 on Sep 19, 2004 3:47 PM. Last modified by anil.saldhana on May 15, 2009 4:54 PM.

    This is a JMX service which manages JAAS based SecurityManagers.

    JAAS SecurityManagers are responsible for validating credentials

    associated with principals. The service defaults to the

    org.jboss.security.plugins.JaasSecurityManager implementation but

    this can be changed via the securityManagerClass property.

     

    • ServerMode (4.0.3,3.2.8): A flag which indicates whether the SecurityAssociation server mode is set on service creation. This is true by default since the SecurityAssociation should be thread local for multi-threaded server operation. The default is true.

    • SecurityManagerClassName: The name of the class that provides the security manager implementation. The implementation must support both the org.jboss.security.AuthenticationManager  and org.jboss.security.RealmMapping  interfaces. If not specified this defaults to the JAAS-based org.jboss.security.plugins.JaasSecurityManager .

    • CallbackHandlerClassName: The name of the class that provides the javax.security.auth.callback.CallbackHandler implementation used by the JaasSecurityManager . You can override the handler used by the JaasSecurityManager if the default implementation ( org.jboss.security.auth.callback.SecurityAssociationHandler ) does not meet your needs. This is a rather deep configuration that generally should not be set unless you know what you are doing.

    • SecurityProxyFactoryClassName: The name of the class that provides the org.jboss.security.SecurityProxyFactory implementation. If not specified this defaults to org.jboss.security.SubjectSecurityProxyFactory .

    • AuthenticationCacheJndiName: Specifies the location of the security credential cache policy. This is first treated as an ObjectFactory location capable of returning CachePolicy instances on a per-security-domain basis. This is done by appending the name of the security domain to this name when looking up the CachePolicy for a domain. If this fails, the location is treated as a single CachePolicy for all security domains. As a default, a timed cache policy is used.

    • DefaultCacheTimeout: Specifies the default timed cache policy timeout in seconds. The default value is 1800 seconds (30 minutes). The value you use for the timeout is a tradeoff between frequent authentication operations and how long credential information may be out of synch with respect to the security information store. If you want to disable caching of security credentials, set this to 0 to force authentication to occur every time. This has no affect if the AuthenticationCacheJndiName has been changed from the default value.

    • DefaultCacheResolution: Specifies the default timed cache policy resolution in seconds. This controls the interval at which the cache current timestamp is updated and should be less than the DefaultCacheTimeout in order for the timeout to be meaningful. The default resolution is 60 seconds(1 minute). This has no affect if the AuthenticationCacheJndiName has been changed from the default value.

    • DeepCopySubjectMode: (Starting 4.0.4.GA): This set the copy mode of subjects done by the security managers to be deep copies that makes copies of the subject principals and credentials if they are cloneable. It should be set to true if subject include mutable content that can be corrupted when      multiple threads have the same identity and cache flushes/logout clearing the subject in one thread results in subject references affecting other threads. http://jira.jboss.com/jira/browse/JBAS-2657  By default, it is set as False.

     

    The JaasSecurityManagerService also supports a number of useful operations. These include flushing any security domain authentication cache at runtime, getting the list of active users in a security domain authentication cache, and any of the security manager interface methods.

     

    Flushing a security domain authentication cache can be used to drop all cached credentials when the underlying store has been updated and you want the store state to be used immediately. The MBean operation signature is as follows:

     

    public void flushAuthenticationCache(String securityDomain);

    This can be invoked programmatically using the following code snippet:

     

    MBeanServer server = ...;

String jaasMgrName = "jboss.security:service=JaasSecurityManager";

ObjectName jaasMgr = new ObjectName(jaasMgrName);

Object[] params = {domainName};

String[] signature = {"java.lang.String"};

server.invoke(jaasMgr, "flushAuthenticationCache", params, signature);

     

    Getting the list of active users provides a snapshot of the Principals keys in a security domain authentication cache that are not expired. The MBean operation signature is:

     

    public List getAuthenticationCachePrincipals(String securityDomain);

     

    This can be invoked programmatically using the following code snippet:

     

    MBeanServer server = ...;

String jaasMgrName = "jboss.security:service=JaasSecurityManager";

ObjectName jaasMgr = new ObjectName(jaasMgrName);

Object[] params = {domainName};

String[] signature = {"java.lang.String"};

List users = (List) server.invoke(jaasMgr, "getAuthenticationCachePrincipals", params, signature);

     

    The security manager access methods include the following operation signatures:

    public boolean isValid(String securityDomain, Principal principal,
Object credential);

public Principal getPrincipal(String securityDomain, Principal principal);

public boolean doesUserHaveRole(String securityDomain, Principal principal,
Set roles);

public Set getUserRoles(String securityDomain, Principal principal);

     

    They provide access to the corresponding AuthenticationManager and RealmMapping interface method of the associated security domain named by the securityDomain argument.

     

     

    JBoss Application Server v5.1 onwards: Specifying Custom CallbackHandler