Responded to the same thread on the users list. Feel free to respond
there or here.
On Sep 29, 2009, at 1:22 PM, Quintin Beukes wrote:
Hey,
In the JUnit runner, the method I use to get the code to authenticate
to a named role I use a LoginModule that simply sets the role. No
actual authentication takes place. I get the login module loaded by
setting the login configuration system property before I create the
InitialContext.
Just a question about this.
1. Once OpenEJB initialized, is it possible to load more login
modules? In other words, does it create new LoginContexts during the
runtime of OpenEJB?
2. If the openejb-junit JAR had to be on the classpath, can you think
of anyway this login module can be used to authenticate against any
chosen role?
I'm basically trying to determine the security risks of having this
module in your classpath. If it's a risk I would need to find a better
way of doing the "fake authentication".
The only way I could think of is if the login module was explicitly
loaded at STARTUP? And after startup this is impossible?
Quintin Beukes
---------- Forwarded message ----------
From: Quintin Beukes <[email protected]>
Date: Tue, Sep 29, 2009 at 5:46 PM
Subject: Question
To: Quintin Beukes <[email protected]>
JUnit runner's login module. is it a risk in an appserver or a client
where it's merely included in the classpath.
Can it be (1) deliberate loading, or can't this happen once the real
ones were loaded (2) automatic loading from CP scanning
Quintin Beukes
