Assaf Arkin wrote:
> Laird Nelson wrote:
> >
> > "Subrahmanyam A.V.B." wrote:
> > >
> > > What about the InitialContext you're creating in the servlet (or any
> > > other client) for lookup. In WebLogic, you should be setting
> > > Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS while
> > > creating the InitialContext? Does it not explain the magic?
> >
> > Partially. Does this mean that I should be getting a new
> > InitialContext() *every time* my servlet is invoked (since it could be
> > invoked by all sorts of people), rather than stashing the first
> > InitialContext away as a member variable? Isn't this slow and
> > unadvisable? Then again, perhaps this is the only way to do it?
>
> InitialContext doesn't have that much of an overhead. It's pretty much a
> factory into the naming context, which for ENC shouldn't be doing much
> to begin with.
>
> It might, however, attempt to authenticate each time, which is not
> smart.
>
> That's why the Servlet do the authentication for you. Apparently that is
> not clear in the specs, but will be addressed in a future revision.
The solution is not to find a work around for WLS, but to ask Weblogic to move to
RMI-IIOP thus avoiding sending security context through JNDI evry times the
servlet calls the bean.
Servlets use RMI-IIOP to access EJB servers and like Evan Ireland says in the
isCallerInRole()-thread, use IIOP to exchange security and transaction context
between ejb clients and servers.
Concerning the initial mail:
<Laird>
===> MAGIC PART STARTS HERE
LoginServlet now somehow magically calls God down from the heavens to
cause a miracle to happen whereby the EJB container that hasn't yet been
invoked is now made aware of the fact that Joe is the current
Principal. That is, any enterprise bean that, in the future, will call
EJBContext.getCallerPrincipal(), will get Joe's Principal as the return
value. Various angels and demigods retreat back to the ethereal heights
whence they came.
===> MAGIC PART ENDS HERE
</Laird>
servlets need a portable way for communiting form-based authentication data to
the webserver (basic authentication and certificate based authentication is done
by the webserver).
<Laird>
===> MAGIC CONTAINED STARTING HERE
The EJB container DUE TO MAGIC AND DIVINE INTERVENTION (see above)
miraculously already? knows that the invoker of processOrder() is Joe.
===> MAGIC CONTAINMENT ENDS HERE
</Laird>
Webserver and ejb server should be configure to use the same realm (or
authentication database). This will allow the container to use the security
context (Joe) included in the servlet's IIOP call.
Francis.
--
Francis Pouatcha
MATHEMA Software GmbH
http://www.mathema.de
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
