Rickard �berg wrote:
>
> ...
>
> There are a couple of more scenarios such as this, for example including
> extensive use of Handle's, that shows that JNDI is not a good way to
> authenticate EJB users.
>
> What *is* a good way to do this is to use a thread-based scheme such as
> JAAS. For now security authentication is proprietary, and is indeed the
> by far biggest hole in the whole J2EE area, but once JAAS becomes used
> this should clear up (I hope, fingers crossed).
What you propose is not necessarily *good*. If a client is simultaneously
talking to multiple servers, the usual implementation of your proposal would
force the client to present the same credentials to all remote servers it is
simultaneously communicating with. In such situations, using JNDI to
authenticate the users is preferable (assuming in this case that object
references won't be passed between clients and handles won't be used).
________________________________________________________________________________
Evan Ireland Sybase EA Server Engineering [EMAIL PROTECTED]
Wellington - New Zealand +64 4 934-5856
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
