Just looking for the experiences of others on the list...
How are you handling client authentication in your jBoss applications? I get the feeling that many developers on the list are using servlet/jsp/<insert-web-technology-here> front-ends to their ejb applications. I work in a corporation where NT authentication is pretty standard (i.e., everyone will have an NT logon id and password), and JNDI is not implemented. From what I understand of JAAS, the client side must have server call-backs. In my case, the client will be a web front-end, most likely running on a *nix box (ejb server also running on *nix). Makes it kind of tough to integrate with NT domains.
I have coded a simple session bean that gets around this, but I haven't load tested it yet. When an authentication request comes in, it actually tries to open an FTP session to one of the NT servers here, and determines whether or not the logon was successful. I can't believe that this will hold up under any kind of stress--that remains to be seen. My other option is to have the user pass through a web-based authentication system on an NT web server that could set a cookie if the user is authenticated, but I'd rather not do that...I hate spreading the application so thin, with so many points of failure.
Obviously, we could ask people to register and set up passwords, etc. But, besides being a security concern (housing people's passwords that they probably use for other services too), it's a major hassle to ask our customers to remember yet another password.
Has anyone else dealt with this? What have you done about it?
-Jason
- Re: [jBoss-User] Security question VASQUEZ_JASON
- Re: [jBoss-User] Security question Gareth Cantrell
- Re: [jBoss-User] Security question Rolando Rivera
- Re: [jBoss-User] Security question Keith L. Musser
- Re: [jBoss-User] Security question VASQUEZ_JASON
- Re: [jBoss-User] Security question Keith L. Musser
