see below,
Assaf Arkin wrote:
> Evan Ireland wrote:
> >
> > Rickard �berg wrote:
> > >
> > > ...
> > >
> > > There are a couple of more scenarios such as this, for example including
> > > extensive use of Handle's, that shows that JNDI is not a good way to
> > > authenticate EJB users.
> > >
> > > What *is* a good way to do this is to use a thread-based scheme such as
> > > JAAS. For now security authentication is proprietary, and is indeed the
> > > by far biggest hole in the whole J2EE area, but once JAAS becomes used
> > > this should clear up (I hope, fingers crossed).
> >
> > What you propose is not necessarily *good*. If a client is simultaneously
> > talking to multiple servers, the usual implementation of your proposal would
> > force the client to present the same credentials to all remote servers it is
> > simultaneously communicating with. In such situations, using JNDI to
> > authenticate the users is preferable (assuming in this case that object
> > references won't be passed between clients and handles won't be used).
>
> JNDI does not authenticate the user. Once you get a reference you can
> use it multiple times with different users.
>
> JAAS takes care of authenticating if you use multiple servers with
> different credentials (see javax.security.auth.Subject to understand
> how).
>
JAAS doesn't deal with sending security context to a server. JAAS can only associate a
thread with multiples principals. So JAAS can't kow to which server request is being
sent ("A" or to server "B") or which communication scheme is being used (RMI-IIOP or
WLS-t3). The container implementor will for example call the
Subject.getSubject().getPrincipal(...) to get the needed principal and sends it to the
corresponding server.
Finally, let's say JAAS will provide Java-clients with a portable way for
communicating users security information to their containers.
any comment?
--
Francis Pouatcha
MATHEMA Software GmbH
http://www.mathema.de
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
