>> > > But the specification says
>> > > nothing about how to tie a caller to a role, yes?
<snip>
>> (what process, what layer, what tier, what program, what object) sets
>> the Principal that is returned when an EntityBean, say, asks its
>> EJBContext for the caller Principal, by invoking the
>> getCallerPrincipal() method?
<snip>
>1. If you're running inside a Servlet engine, you will get the
>caller/role from the Web server. At least that part is working.
>2. You can get it from the JNDI authentication, not super secure.
>3. If you are doing secure RMI or any other proprietary protocol you can
>get it that way.
>Anything else is a flaw of the Java platform not really specifying how
>to get a secure connection from A to B.
DCOM and CORBA/IIOP allow for the propagation of both security and
transaction context information.
RMI/JRMP and RMI/IIOP do not. See:
http://forum.java.sun.com/forum?[EMAIL PROTECTED]^[email protected]
So I wonder how can any EJB vendor out there support EJB
security or client transactions at all ?
Regards
Javier Borrajo
www.tid.es
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
