Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Anchor
top
top
Article donated by: Simon Godik, Hernan Cunico
This article explains some basic the rational and working of the Apache Geronimo security system. JAAC implementation will not be addressed in this article. The basic concepts on which Geronimo security architecture is build are: Login Domain and Security Realm. These concepts are integrated into the JAAS architecture for use by the container.

A lot of the security terms are overloaded, and you may find many definitions of principals, roles, etc. This article tries to stay with the established frameworks where possible such as OASIS SAML reference model.

Login Domain

According to the SAML specification a principal is a system entity whose identity can be authenticated. An Identity Provider is a service provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers.

...

One example of Login Domain is LDAP directory server, it combines maintenance of identity information and other attributes (such as groups). Relational databases with tables for users and groups is another.

Back to Top

Security Realm

Security realm configures and enforces application-specific authentication policy and is the entry point into login domains. Security realm implements pluggable authentication framework allowing for a combination of authentication protocols with different properties and different trust relationships that match application requirements.

...

Of course, security realm authentication policy emulates JAAS login module combination semantics. In fact, security realm implementation is wired with the JAAS login modules that are configured with the familiar attributes such as control flag and options. The authentication procedure is driven by the Login Module JAAS API and the authentication result is computed over control flag values and authentication outcomes of individual login modules.

Back to Top

Authentication and principals

As authentication proceeds each login domain (implemented by the login module), it creates it's own principals that implement java.security.Principal interface. There are several implementations of the java.security.Principal interface in Geronimoas illustrated in the following table:

...

There are some special types of Principal's that are created after authentication procedure succeeds and used by Geronimo to track authenticated subject through it's lifetime in the container.

Back to Top