Yes, I have been tearing my hair on this one as well as you.
Actually, these issues is not yet entirely resolved. In EJB 1.0 they're not
resolved at all. This is a cross-specification issue and it seems Sun back
then didn't have the organizaton to handle these stuff.
In latest J2EE things look a bit better since you can specify in the
deployment descriptor of a web-archive what pages needs to be authenticated
and how this should be done, there are 4 choices ("basic", "digest", "form",
"client-cert") so the flexibility is not really what one should expect.
The JAAS way of authentication is although really cool, featuring the PAM
(Pluggable Authentication Modules). Which gives all flexibility one could
ever want to have. (and more!)
The issue wheather JAAS is gonna get integrated into J2EE or not has been on
discussion on this or the j2ee-list. Also I've read somewhere that it is
gonna be integrated.
<vendor>
WebLogic 5.0 is gonna support the latest J2EE-specs. I have downloaded the
beta but haven't got the time to evaluate yet. If you just want to play
around I strongly recommend the Orion-Server (www.orionserver.com). Nice!
In WebLogic (at least 4.5) there are some undocumented (or at least I can't
find the javadocs, but I might be an incompetent documentation-reader)
feature for doing exactly what you want. It's called something like
weblogic.security.ServletAuthenticator or something. I think there might be
an example somewhere as well. Browse around with a decompiler and I'll think
you will learn things.
I've gotten what you're talking about to work on WebLogic 4.5. Of course
this is WebLogic-specific.
</vendor>
> -----Original Message-----
> From: A mailing list for Enterprise JavaBeans development
> [mailto:[EMAIL PROTECTED]]On Behalf Of Laird Nelson
> Sent: Monday, February 14, 2000 3:08 PM
> To: [EMAIL PROTECTED]
> Subject: Re: How to get a container to know what Principal iscalling it?
>
>
> Rickard �berg wrote:
> > No no no, you never ever use JNDI to authenticate EJB callers. It won't
> > work.
>
> Good; I was beginning to think it was just me. :-)
>
> > What *is* a good way to do this is to use a thread-based scheme such as
> > JAAS. For now security authentication is proprietary, and is indeed the
> > by far biggest hole in the whole J2EE area, but once JAAS becomes used
> > this should clear up (I hope, fingers crossed).
>
> I'm going to entreat others on this list again. If I have a piece of
> HTML that looks like this:
>
> <form name="loginForm" method="get"
> action="http://my.server.com/servlets/LoginServlet">
> <input type="text" name="username">
> <input type="password" name="password">
> </form>
>
> ...then how should my LoginServlet indicate either to its container or
> to the EJB container or, preferably, both, that the value of "username"
> is the name of the current user? I fail to see how this is possible at
> the moment. FWIW, I'll be using WebLogic.
>
> This seems like an absurdly simple issue to have been completely missed
> in the EJB specification, but after three weeks of not hearing any
> answers on this, I'm beginning to believe, jaw agape, that perhaps
> someone really never actually attempted this scenario.
>
> Cheers,
> Laird
>
> ==================================================================
> =========
> To unsubscribe, send email to [EMAIL PROTECTED] and include
> in the body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
>
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
