I can't figure out how javaee app client to ejb security is supposed
to work (and I have some evidence it isn't).
What I'd expect is that:
- you log into the app client, resulting in a Subject in the
ContextManager. This subject would have to include a private
credential that stores the password.
- when you call an ejb, the ejb client code consults the
ContextManager to see if there's a subject, and if so looks for a
private credential and if present gets the client identity from
openejb and uses it in the call. It could stash the client identity
in the subject so it didn't have to log in again.
What (if anything) is currently implemented? If nothing is, and the
above looks plausible, where does this hook up to openejb, and what
would I have to implement/modify?
thanks
david jencks
- How is app client to ejb security supposed to work? David Jencks
-
