The problem is that JMS has no real notion of security. You can provide a username and password when obtaining a connection but this is the extent of JMS security. There is no defined mechanism for propagating the user identity as part of the message.
I think its rather poor myself. I would be inclined to add a security context filter to the JBoss MDB logic that allowed one to specify which message properties should be used in constructing the security context for a message delivered to an MDB. Totally non-portable, but the current state is useless for secured MDBs. This could be a simple extension of the current SecurityInterceptor that would be used for the MDB container and could be driven off of the jboss.xml section for MDBs. xxxxxxxxxxxxxxxxxxxxxxxx Scott Stark Chief Technology Officer JBoss Group, LLC xxxxxxxxxxxxxxxxxxxxxxxx ----- Original Message ----- From: "Dmitri Colebatch" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 18, 2001 12:24 AM Subject: [JBoss-user] mdb and security context > hey list, > > I've been spending the last few days looking at mechanisms for > asynchronous container invocations, and am now going to ask a question I > should have asked previously. > > Can someone give me a viewpoint on why the security context of a > invocation does not get propagated with a JMS call? From what I know of > the container, it would be very doable, but if theres a good reason why > its not done, then it'd be stupid of me to try... or is it just that we're > talking about young things (JMS, MDB)? > > cheers > dim > _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
