Evan Ireland wrote:
>
> Rickard �berg wrote:
> >
> > ...
> >
> > There are a couple of more scenarios such as this, for example including
> > extensive use of Handle's, that shows that JNDI is not a good way to
> > authenticate EJB users.
> >
> > What *is* a good way to do this is to use a thread-based scheme such as
> > JAAS. For now security authentication is proprietary, and is indeed the
> > by far biggest hole in the whole J2EE area, but once JAAS becomes used
> > this should clear up (I hope, fingers crossed).
>
> What you propose is not necessarily *good*. If a client is simultaneously
> talking to multiple servers, the usual implementation of your proposal would
> force the client to present the same credentials to all remote servers it is
> simultaneously communicating with. In such situations, using JNDI to
> authenticate the users is preferable (assuming in this case that object
> references won't be passed between clients and handles won't be used).
JNDI does not authenticate the user. Once you get a reference you can
use it multiple times with different users.
JAAS takes care of authenticating if you use multiple servers with
different credentials (see javax.security.auth.Subject to understand
how).
arkin
> ________________________________________________________________________________
>
> Evan Ireland Sybase EA Server Engineering [EMAIL PROTECTED]
> Wellington - New Zealand +64 4 934-5856
>
> ===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
