dferugson wrote:
> Oleg Nitz wrote:
>> All that happens locally on the server, no RMI calls.
> ** Well, the subject gets passed from the client to jBoss(via rmi)
Wrong. There are two JAAS login processes: one on client, second on
server. Client JAAS LoginContext and client CallbackHandler are
created by client application. ClientServerLoginModule is provided by
JBoss, it gets user name and password via CallbackHandler and sets
them to the static variables, but it doesn't use the client Subject.
The user name and the password are passed via RMI to the server, where
JBoss creates server JAAS LoginContext and server CallbackHandler, and
user provides server LoginModule or choose one of the standard ones.
Now user name and password are passed to server LoginModules via
server CallbackHandler, and server LoginModules add Principal and
roles to the server Subject.
> This would be pass by value, so when subsequent calls come through
> I was just curious how jBoss keeps track of the authenticated
> user/roles
JBoss caches authenticated pairs of (user name, role) along with the
correspondent set of roles. User name and password are passes by value
on each method call. JAAS authentication process is performed only if
user name is not found in the cache. Now the cache is unlimited, but
task to make it time-limited (size-limited?) is in my todo list.
If anyone else would like to implement this feature, go on,
unfortunately I won't have time for that in the near future.
Simone Bordet kindly proposed to use his cache support classes from
org.jboss.util package.
AFAIK passing user name and password on each method call can be
avoided only by means of SSL/TLS-protected RMI connection,
JSSE 1.0.2 seems to provide all needed facilities for that,
but no one volunteered on that task yet.
Regards,
Oleg
