On 9 Nov 00, at 8:42, Keith L. Musser wrote:
> I tried org.jboss.system.SecurityAssociation.setPrincipal() and it
> worked correctly. However, I found that there is a performance overhead
> in every method invocation if I set the Principal on the client.
>
> There is an alternative design which doesn't carry the overhead in every
> method call. It is to have the JNDI home-interface lookup do the
> authentication. Then the Principal in the Home interface can be set,
> and any EJBObjects obtained by create or find from that home interface
> inherit the user's context.
>
> Using this method, the Principal / credentials only need to pass through
> the network once, when the home interface is retrieved.
Hi Keith,
Two things:
1. I'm not sure I understand how this works, unless you use some
form of transport layer security--because as far as I know, there is
no way to indicate the session to which a remote call belongs
except by using implicit parameters. Can you explain more how
this works?
2. JNDI lookup is not spec-compliant with EJB security. Consider
the case where a client serializes the home interface handle, and a
different client (with a different user) deserializes and uses it. This
new user has unauthorized access.
By the way, in my opinion the real overhead is in reauthenticating
the client with each remote call--not the cost of transporting the
principal and credential. To my knowledge, this can only be fixed
with a session-based secure transport (e.g. SSL/TLS) and a
"trusted client" token.
-Dan
>
> Has anyone considered this, which should have better performance can
> passing the information with each invocation? Are there any drawbacks
> to this approach?
>
> [ This idea came from John Ellis on the jonas-users mailing list,
> message dated November 8, 2000. ]
>
> - Keith
>
> -----Original Message-----
> From: Oleg Nitz <[EMAIL PROTECTED]>
> To: jBoss <[EMAIL PROTECTED]>
> Date: Monday, November 06, 2000 6:16 AM
> Subject: Re: [jBoss-User] problem with ctx.getCallerPrincipal()
>
>
> >Hi jBoss,
> >
> >Keith L. Musser wrote:
> >KLM> For my application, my beans need to know who the end-user is.
> When I
> >KLM> call the "getCallerPrincipal()" method in the SessionContext or
> >KLM> EntityContext, I receive "null".
> >
> >KLM> Does jBoss propagate the caller principal per the EJB spec?
> >Yes.
> >
> >KLM> If so, how can my client set it initially?
> >The simplest way: call
> >org.jboss.system.SecurityAssociation.setPrincipal()
> >on client.
> >
> >Other way: use JAAS, see
> >http://www.mail-archive.com/[email protected]/msg04170.h
> tml
> >
> >Sorry, the documentation on this topic is not ready yet.
> >
> >Best regards,
> > Oleg
> >
> >
> >
> >
> >--
> >--------------------------------------------------------------
> >To subscribe: [EMAIL PROTECTED]
> >To unsubscribe: [EMAIL PROTECTED]
> >Problems?: [EMAIL PROTECTED]
> >
> >
>
>
>
> --
> --------------------------------------------------------------
> To subscribe: [EMAIL PROTECTED]
> To unsubscribe: [EMAIL PROTECTED]
> Problems?: [EMAIL PROTECTED]
>
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
