It logs you in for the lifetime of the VM or until you login as someone else.
One problem with the current client side login module is that logout is a no-op
so that if you do logout, you still the username and credentials of the previous
login active.
Is there a reason the logout method does not clear the current SecurityAssociation as
is done
in the abort method?
public class ClientLoginModule implements LoginModule {
...
/**
* Method to abort the authentication process (phase 2).
*/
public boolean abort() throws LoginException {
SecurityAssociation.setPrincipal(null);
SecurityAssociation.setCredential(null);
return true;
}
public boolean logout() throws LoginException {
return true;
}
}
----- Original Message -----
From: "dferugson" <[EMAIL PROTECTED]>
To: "Oleg Nitz" <[EMAIL PROTECTED]>; "jBoss Developer" <[EMAIL PROTECTED]>
Sent: Monday, January 22, 2001 1:55 PM
Subject: [jBoss-Dev] Re: [jBoss-User] jaas
> I think this should be my last question.... ;)
>
> When you use the LoginContext to login on the client side,
> it logs you in, but for how long? Until the life of the
> method, as long as the LoginContext has scope?
>
> I am assuming that while you are logged in(depending on
> the answer from the question above) all ejb calls will
> be tied to that user.
>
> I am really interested in find out how JAAS does what it
> does. I can understand get an instance to a LoginContext
> and calling a login method but how can all subsequent calls
> be sent out by that user without being wrapped in some other
> interface. etc. Seems like there would have to be a security
> server on the client side?
>
> Once logged in, when requests hit jboss, they have username and
> password attached so that jBoss will then run it through which
> ever loginModule that you have attached. This is assuming that
> each request must go through the login module, if not how
> is caching implemented?
>
> Thanks
>
> Oleg Nitz wrote:
> >
> > On Saturday 20 January 2001 23:52, Ferguson, Doug wrote:
> > > I think this jaas stuff is slowly starting to unravel
> > > for me.
> > Good :-)
> >
> > > Is the loginModule is the thing that is pointed to via
> > > Auth.conf?
> > Yes.
> >
> > > Where can I find info on writing LoginModules?
> > In JAAS documentaion, http://java.sun.com/products/jaas
> >
> > > You said that names are passed as parameters to the
> > > login module. This would be in the client code?
> > No, I meant the parameters of the login module in auth.conf.
> > Usually they are called "options", sorry for wrong terminology.
> >
> > > I've seen one example of a client that used jaas and it
> > > has to create a CallbackHander to pass into the LoginContext.
> > > Is there a concrete implementation of CallbackHandler included
> > > with jBoss or will I need to write my own?
> > No, you need to write your own, it is a client application specific
> > thing by definition.
> >
> > > Also, since the current DB scheme doesn't support roles, does it
> > > just restrict users that can't authenticate from calling any
> > > method?
> > If you aren't authenticated, you can't call methods.
> > If you are authenticated, you can call any method in the bean,
> > for which ejb-jar.xml doesn't define any roles. If roles are defined,
> > you cannot call methods at all.
> >
> > Regards,
> > Oleg
>
> --
> Doug Ferguson
> Software Developer
> www.coremetrics.com
> 512-342-2623x212
> 512-619-9972(cell)
>
>
