3 Replies Latest reply on Jan 24, 2011 11:15 AM by anil.saldhana

    AS7 : Authentication and Authorization

    mmoyses

      For AS7 I'm thinking about rewriting all our login modules to separate authentication (caller principal mapping) from authorization (role mapping) during the JAAS process.

      Currently the majority of our login modules does both things: validates password to assign the user principal to the subject and adds the roles to the subject.

      In my opinion this is getting messy as new functionality needs to be added to login modules to allow different combinations of them so customers can use only one for authentication and another for role mapping. This is bad as we keep adding new options to the LMs in order to accomodate such features.

      If we separate the functionalities I believe the code will be easier to manage, to extend (subclass for custom needs), to configure and it will also allow for many other combinations to suit every need.

      What do you think?

        • 1. AS7 : Authentication and Authorization
          dmlloyd

          I think this is a great idea.  I for one am running into issues where SASL authentication cannot dovetail into JAAS.  But I still want to use the common authorization system, which I think is still a good fit, as well as the central identity repository (whatever it may be).

          • 2. AS7 : Authentication and Authorization
            dlofthouse

            I have also thought for a while that this area needs an overhaul, I think the pattern imposed by the UsernamePasswordLoginModule really complicates writing login modules that can have the pure authentiction step handled by one module and the Principal association handled by the other modules.

             

            Also when discussing these modules I think it is probably best not to discuss them as handling authorization, that is something that happens outside of the authentication process when the modules are called, the modules populate the Principals in the Subject that can be used for authorization but the actualy authorization is seperate.

             

            When writing some of the modules within JBoss Negotiation I had to make some decisions regarding chaining or extending that may have some bearing on your work here: -

             

            • Connection Sharing
            • Pre-authentication queries

             

            So for the connection sharing a number of modules establish a connection to something remote such as an LDAP server or a database, the current modules use the same connection for the pure authentication and the subsequent loading of roles - a subsequent switch to split modules could benefit also from a mechanism to share these connections whilst taking into account issues such as ensuring no leaks.

             

            For the second issue with pre-authentication queries I found myself that in the case of having an LDAP login module chained after another module that had perfomed the authentication the LDAP module still needed to perform almost the same set of queries to identify the user before the roles searching could begin - in the end for the AdvancedLdapLoginModule in JBoss Negotiation when chained the only thing actually skipped was the password verification the remaining 99% of code was still called as if it was not chained.

            • 3. AS7 : Authentication and Authorization
              anil.saldhana

              We did introduce the mapping (principal,role,attribute) and authorization modules to get away from the loaded JAAS authentication layer in AS5. Additional frameworks/separations cost performance.