Hi,
>
> Well it seems that there is no agreed upon mechanism (lets say
> with RMI/IIOP)
> to propagate the client's identity (except IIOP/SSL).
>
Thats not true. There is no inter-operable way of propagating
the client identity. But in IIOP, Service Context fields could
be used to propagate the client identity in a container specific
way. The Reference Implementation, uses this method to propagate
the client identity from the client to the server.
> > The security information is typically sent along with the
> > call. It is never associated with the remote object.
>
> You are incorrect. For example, Sybase EAServer uses this technique to
> implement authentication for CORBA 2.0 clients that don't implement any
> of the standard CORBA security mechanisms (like IIOP/SSL).
>
I was not aware of that EAServer's behavior. But, I am sure that
associating the "credentials" with the object is a not a good idea in
the case of EJBs. Since the same object could be called by
different clients. Moreover, EJB 1.1 spec. requires the caller
principal information to be propagated.
>
> That's all fine and well, but if the only identity available is that
> of the creator of the object reference, and the caller's identity is not
> propagated over the wire, then you are left with two choices:
>
> (1) Use the identity of the client who created the object reference.
>
> (2) Use some anonymous identity.
>
> I know which I would choose (#1). It of course means that clients
> should not
> share object references, i.e. Handles should not be passed between clients
> with different identities if you want this scheme to work.
Since, there is a easy way of doing it in IIOP (see my other posting),
you could use that instead of either of these options.
Harish Prabandham
J2EE Reference Implementation
JavaSoftware Division
Sun Microsystems
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
