Hey
Lets get hardcore.
Harish Prabandham wrote:
> The security information is typically sent along with the
> call. It is never associated with the remote object.
What does "typically" mean? Are there any other possibilities (that are
*used*)? The only option I could think of is socket connection identity
association, but does anyone actually use that?
> The security methods getCallerPrincipal() and isCallerInRole()
> are "call" specific - not object specific. Similarly role
> based authorization checks are done based on the who called
> the bean - not based who created the bean.
Exactly. But until JAAS becomes widely implemented/accepted/used the
whole client authentication thing is undefined, and which is what RMH
was referring to (I assume).
I'm not a security expert, but from what I've seen JAAS seems really
good (from a programmers perspective). Simple yet powerful, just the way
I like it...
/Rickard
--
Rickard �berg
@home: +46 13 177937
Email: [EMAIL PROTECTED]
Homepage: http://www-und.ida.liu.se/~ricob684
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
