Re: Security problem with javax.ejb.Handle

[Harish Prabandham]

Hi,

>
> Harish Prabandham wrote:
> > The security information is typically sent along with the
> > call. It is never associated with the remote object.
>
> What does "typically" mean? Are there any other possibilities (that are
> *used*)? The only option I could think of is socket connection identity
> association, but does anyone actually use that?
>

I used *typically* to mean *in the most common case*.

In IIOP, implementation could use ServiceContext fields to
send the credentials of the caller.  J2EE reference implementation
uses the ServiceContext fields to propagate the security
context.


Harish Prabandham

J2EE Reference Implementation
Javasoftware Division
Sun Microsystems.

===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST".  For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".