Laird Nelson wrote:
>
> Assaf Arkin wrote:
> > Laird Nelson wrote:
> > > But the specification says
> > > nothing about how to tie a caller to a role, yes?
> > That's up to the implementation.
>
> OK; good; that's what I thought. So the implementation should have a
> way to indicate that if user-with-Principal-X logs in, whatever that
> means (more on that in a moment), he should be notionally shoved in Role
> Y. Then calls to isCallerInRole(Y) will work. Got it.
>
> So let's back up one level and ask: at what point is the EJB container
> told that the client that is dispatching zillions of method invocation
> requests is identified by Principal X? Or, to ask it another way, who
> (what process, what layer, what tier, what program, what object) sets
> the Principal that is returned when an EntityBean, say, asks its
> EJBContext for the caller Principal, by invoking the
> getCallerPrincipal() method? Since it is part of the EJB specification,
> I have to assume that the earliest point that this information can be
> supplied is during the JNDI getInitialContext() lookup call. But that
> also sounds like it would be horribly dangerous, so I have to assume
> that no one has actually implemented it that way, because people are
> generally smarter than I am. :-)
1. If you're running inside a Servlet engine, you will get the
caller/role from the Web server. At least that part is working.
2. You can get it from the JNDI authentication, not super secure.
3. If you are doing secure RMI or any other proprietary protocol you can
get it that way.
Anything else is a flaw of the Java platform not really specifying how
to get a secure connection from A to B.
arkin
>
> Clues? Pointers?
>
> Cheers,
> Laird
--
----------------------------------------------------------------------
Assaf Arkin www.exoffice.com
CTO, Exoffice Technologies, Inc. www.exolab.org
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
