Re: [jBoss-User] Security question

Thu, 09 Nov 2000 06:06:37 -0800 

Jason,

       Unless is a requirement for you application to integrate with the NT domain, 
don't do it. Instead, create a database with user_id and password and authenticate 
against the database. You can also use JCE to create a symetric key encription for the 
password field on the database.

 hope this helps
-Rolando
  
---------- Original Message ----------------------------------
From: [EMAIL PROTECTED]
Date: Thu, 09 Nov 2000 08:09:23 -0500

>Just looking for the experiences of others on the list...
>
>How are you handling client authentication in your jBoss applications?  I 
>get the feeling that many developers on the list are using 
>servlet/jsp/<insert-web-technology-here> front-ends to their ejb 
>applications.  I work in a corporation where NT authentication is pretty 
>standard (i.e., everyone will have an NT logon id and password), and JNDI 
>is not implemented.  From what I understand of JAAS, the client side must 
>have server call-backs.  In my case, the client will be a web front-end, 
>most likely running on a *nix box (ejb server also running on *nix). Makes 
>it kind of tough to integrate with NT domains.
>
>I have coded a simple session bean that gets around this, but I haven't 
>load tested it yet.  When an authentication request comes in, it actually 
>tries to open an FTP session to one of the NT servers here, and determines 
>whether or not the logon was successful.  I can't believe that this will 
>hold up under any kind of stress--that remains to be seen.  My other 
>option is to have the user pass through a web-based authentication system 
>on an NT web server that could set a cookie if the user is authenticated, 
>but I'd rather not do that...I hate spreading the application so thin, 
>with so many points of failure.
>
>Obviously, we could ask people to register and set up passwords, etc. But, 
>besides being a security concern (housing people's passwords that they 
>probably use for other services too), it's a major hassle to ask our 
>customers to remember yet another password.
>
>Has anyone else dealt with this?  What have you done about it?
>
>-Jason
>
>
>--
>--------------------------------------------------------------
>To subscribe:        [EMAIL PROTECTED]
>To unsubscribe:      [EMAIL PROTECTED]
>Problems?:           [EMAIL PROTECTED]
>
>


--
--------------------------------------------------------------
To subscribe:        [EMAIL PROTECTED]
To unsubscribe:      [EMAIL PROTECTED]
Problems?:           [EMAIL PROTECTED]

Reply via email to