On Jul 5, 2007, at 5:44 PM, David Jencks wrote:
On Jul 5, 2007, at 12:03 PM, David Blevins wrote:
How were we doing web services security before? Did it work for
EJBs too? (maybe that was the issue).
Web services security works and worked fine. AFAICT it's using
BASIC web authentication. Anyway we tell the web services client a
user and password and it gets sent with the message and logged in
and everything works. The user/pw comes out of a private
credential in the Subject. In order for this to get into the
Subject we need a login module running locally on the client to put
it there. All this is working fine and has worked fine for a long
time.
The problem is that in order to call an ejb we (currently) need
remote login modules on the client that are actually running on the
server and get the identification principal back to the client
subject. We seem to be able to configure logins that use either
only remote modules or only local modules but I haven't been able
to figure out how to configure something that uses both a local
login module for the web services AND in the same login
configuration a remote module for openejb.
Hmm. I can definitely see similarities and what you're feeling
around for. The paradigm is essentially the same on the client-side;
pull user/pw from userland, then put it in a known code location
(subject, static) where it will be fished out on request. The server-
side is also the same being a plain user/pw login. Could be possible
not just to use the same login configuration but the same login module.
I also find the code and configuration around remote login modules
to be incredibly hard to understand and confusing so I'd rather
come up with something that appears to involve a little less magic.
Amen.
I really lost you when you stated an issue with web services
security then jumped to solving the problem in the protocol that
doesn't use web services. I can't figure out how these things
connect.
Just possibly the above will help :-)
Anyway after perusing the jaspi spec some more I don't want to
promise to implement it by geronimo 2.0 so I'm now trying option
(0) and hope to have a proposed patch friday. [...] I think this
special purpose solution will be a lot simpler and easier to
understand than the geronimo code and will work fine while we think
about jaspi.
Sounds like a plan.
-David
