For AS7 I'm thinking about rewriting all our login modules to separate authentication (caller principal mapping) from authorization (role mapping) during the JAAS process.
Currently the majority of our login modules does both things: validates password to assign the user principal to the subject and adds the roles to the subject.
In my opinion this is getting messy as new functionality needs to be added to login modules to allow different combinations of them so customers can use only one for authentication and another for role mapping. This is bad as we keep adding new options to the LMs in order to accomodate such features.
If we separate the functionalities I believe the code will be easier to manage, to extend (subclass for custom needs), to configure and it will also allow for many other combinations to suit every need.
What do you think?
I have also thought for a while that this area needs an overhaul, I think the pattern imposed by the UsernamePasswordLoginModule really complicates writing login modules that can have the pure authentiction step handled by one module and the Principal association handled by the other modules.
Also when discussing these modules I think it is probably best not to discuss them as handling authorization, that is something that happens outside of the authentication process when the modules are called, the modules populate the Principals in the Subject that can be used for authorization but the actualy authorization is seperate.
When writing some of the modules within JBoss Negotiation I had to make some decisions regarding chaining or extending that may have some bearing on your work here: -
- Connection Sharing
- Pre-authentication queries
So for the connection sharing a number of modules establish a connection to something remote such as an LDAP server or a database, the current modules use the same connection for the pure authentication and the subsequent loading of roles - a subsequent switch to split modules could benefit also from a mechanism to share these connections whilst taking into account issues such as ensuring no leaks.
For the second issue with pre-authentication queries I found myself that in the case of having an LDAP login module chained after another module that had perfomed the authentication the LDAP module still needed to perform almost the same set of queries to identify the user before the roles searching could begin - in the end for the AdvancedLdapLoginModule in JBoss Negotiation when chained the only thing actually skipped was the password verification the remaining 99% of code was still called as if it was not chained.