Assaf Arkin wrote:
>
> > That is right and logicaly true. But in the ejb server, you dont need JAAS for
> > authentication because the server itself can take care of quering it's
>authentication
> > database. The whole server is written by the same instance and a physical user
>doesn't
> > directly interact with the server. JAAS is needed at client side because the
>application
> > client implements the user interface that takes care of gathering user input (name,
> > password) on behalf of the authentication subsystem (AuthenticationModule).
>
> How about if I want to use LDAP, X.500, Kerberos, PAM or simple text
> files and your EJB server only supports an authentication database,
> which I don't use.
Each server should provide a way for plugging in custum realms. Weblogic does that.
>
>
> What if JAAS allowed me to plug my authentication provider into your EJB
> server?
>
Great! Using JAAS for plugging custom realms into the ejb server is a very good ideas.
This is now
beeing done in a proprietary way by some servers. It is a part of the Server-Container
specification like JTS for transaction. But it's a great ideas.
>
> > This re-authentication shouldn't be necessarily done through JAAS. The ejb server
>cann
> > simply query it realm (authentication database) to get the principal coresponding
>the
> > Kerberos credential. It can alternatively use the Kerberos credential to
>instantiate a
> > principal and associates it with the users thread (also simple, because you can
>encode a
> > Kerberos credential into a string).
>
> And exactly how does the EJB server do that?
>
Re-authentication can be done using server's proprietary interface for accessing
realms. For
example realm.getJ2EEPricipal(String kerberosKredential);
For the case where EJBServers and EJBClients (Servlets container, J2EE application
client) are
greatly integrated, the same principal can be used by all clt and svr. This principal
can be
transmited serialized trhough the communication subsystem or re-instantiated from a
string: new
J2EEPrincipal(String kerberosTiket).
Your idea of using JAAS for integrating custom realms into the ejb server is great.
Thanks.
--
Francis Pouatcha
MATHEMA Software GmbH
http://www.mathema.de
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
