What about the InitialContext you're creating in the servlet (or any
other client) for lookup. In WebLogic, you should be setting
Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS while
creating the InitialContext? Does it not explain the magic?
Subrahmanyam
Laird Nelson wrote:
>
> I've been carrying on this discussion with Assaf Arkin and Rickard Oberg
> (sorry, Rickard; can't figure out on my Sun keyboard here how to create
> the proper character for the first letter of your last name--and am
> feeling quite stupid about it, actually....) offline, and would now like
> to expose it to the EJB-INTEREST list as a whole.
>
> Has anyone out there written a servlet to log a user in to a system? (I
> SURE hope the answer is yes. :-))
>
> If so, has that same person then managed to pass that information on to
> an EJB container? If so, how? Could you kindly pass sample code along
> for your container's way of doing this?
>
> Here, in more detail, is what I'm talking about. Note that although the
> Servlet 2.2 API has security related calls (isCallerInRole(), etc.) I am
> restricted to using 2.1 (as I suspect 902837029375 other people are as
> well) which has no such calls:
>
> Joe wants to log in, so he hits a URL that calls LoginServlet.
> LoginServlet takes in username and password, looks up user by username
> (in the database, say), finds the user on disk, validates password;
> everything is OK. LoginServlet puts Joe, or some other token, into the
> Session object to effectively identify that Joe is indeed logged in.
>
> ===> MAGIC PART STARTS HERE
> LoginServlet now somehow magically calls God down from the heavens to
> cause a miracle to happen whereby the EJB container that hasn't yet been
> invoked is now made aware of the fact that Joe is the current
> Principal. That is, any enterprise bean that, in the future, will call
> EJBContext.getCallerPrincipal(), will get Joe's Principal as the return
> value. Various angels and demigods retreat back to the ethereal heights
> whence they came.
> ===> MAGIC PART ENDS HERE
>
> Joe now navigates around the site as a "logged in" user and finally hits
> OrderProcessingServlet.
> OrderProcessingServlet does something to figure out that Joe is logged
> in. Perhaps it looks in the Session object to get the joe object that's
> been stashed there. Doesn't really matter. All that matters is this
> servlet knows now that it is dealing with an authenticated user.
> OrderProcessingServlet calls InitialContext.getInitialContext() (or
> whatever that first JNDI call is).
> Using the context, OrderProcessingServlet now wants to get the
> OrderProcessor session bean. OrderProcessingServlet gets the session
> bean's home.
> OrderProcessingServlet uses the OrderProcessorHome to get the
> OrderProcessor.
> OrderProcessingServlet now invokes OrderProcessor.processOrder().
> This method invocation of course flows across the wire into the EJB
> container.
> The EJB container begins checking security.
>
> ===> MAGIC CONTAINED STARTING HERE
> The EJB container DUE TO MAGIC AND DIVINE INTERVENTION (see above)
> miraculously already? knows that the invoker of processOrder() is Joe.
> ===> MAGIC CONTAINMENT ENDS HERE
>
> The EJB container looks up its little container-specified list of users
> to roles.
> The EJB container discovers that in fact Joe is wanted in five states
> for armed assault and hence is not a member of the Buyer role.
> The EJB container rejects the call to processOrder().
> OrderProcessingServlet receives an Exception saying something like "Joe
> not in role Buyer".
>
> OK, there are two spots in this ridiculously simple flow of events where
> divine intervention is required. Could someone (preferably using
> WebLogic) please detail the prayers and incantations that are required
> of the various servlets in order to get the EJB container to be aware
> that Joe has logged in?
>
> Does anyone from Sun monitor this list? Is this absurdly childish
> example REALLY this hard? Is it therefore the case that if this example
> is indeed correct that one would be utterly foolish and insane to buy a
> servlet engine that is not tightly coupled to an EJB container? Doesn't
> that in itself violate the entire intent of the specification, viz.
> buying best-of-breed individual components that don't need to be made by
> the same vendor? Isn't this all incredibly stupid?
>
> Cheers,
> Laird
>
> ===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
--
----------------------------------------------------------
Letting U=Universal, and given God=U and Unreason=U,
Unreason=God --- Q.E.D.
Check me at http://www.Subrahmanyam.com
----------------------------------------------------------
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
