Dan,
did you successfully integrate jBoss and Tomcat security?
I had a look at it yesterday.
Tomcats security is not based on threads as we have it in jBoss - they
assign the security context (authenticated principal) to the request
object that is handled through the call chain then.
I think at the end (j2ee compatible) it has to work like this:
// in Servlet...
public void doGet (Request req, ...)
{
...
Principal p1 = req.getUserPrincipal ();
...
SomeHome home = (SomeHome)new InitialContext.lookup(bla);
SomeBean bean = home.create ();
bean.doSomething ();
...
// in SomeBean...
public void doSomething ()
{
Principal p2 = ctx.getCallerPrincipal ();
// and p2 should now be the same as p1 ?!
// transparent for the application (developer)
Please correct me if I m wrong.
I ve got no idea yet how to get the requests principal into the jBoss
call (wether via SecurityAssociation or anyhow else...) without hacking
the Tomcat code :-(
Any suggestions, comments, please
\Daniel
