Hi Rickard,
Yes, that's what I was getting at by mentioning TLS, which is a
stateful protocol that does something like what you suggest. This
would allow us to avoid reauthentication on each remote method
call. Because without a security infrastructure like public key
encryption the principal and credential need to be sent in the clear,
this is probably the most likely scenario for maintaining per-user
state.
-Dan
On 9 Nov 00, at 17:06, Rickard �berg wrote:
> Hi!
>
> Dan OConnor wrote:
> > I think I might see where we're missing each other. Our application
> > server is stateless. In other words, it doesn't remember anything
> > about the clients that are "out there." Even a stateful session bean
> > is accessed by a "stateless" client that uses a private key. So any
> > information you want to be associated with a call (such as principal
> > and credential) needs to be propagated on the remote call.
>
> Note that this (=knowing who the caller is) could be solved by using a
> custom socket factory that associates each socket connection with a
> specific user. This could either be used for applications that have
> application clients, or cases where a webserver is client so whatever
> principal it sends with the call is correct and does not need to be
> authenticated.
>
> This requires socket factories to be pluggable in the JRMP
> ContainerInvoker which is not currently the case.
>
> R U following?
>
> /Rickard
>
> --
> Rickard �berg
>
> Email: [EMAIL PROTECTED]
> http://www.telkel.com
> http://www.jboss.org
> http://www.dreambean.com
>
>
> --
> --------------------------------------------------------------
> To subscribe: [EMAIL PROTECTED]
> To unsubscribe: [EMAIL PROTECTED]
> Problems?: [EMAIL PROTECTED]
>
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
