|Two things:
|
|1. I'm not sure I understand how this works, unless you use some
|form of transport layer security--because as far as I know, there is
|no way to indicate the session to which a remote call belongs
|except by using implicit parameters. Can you explain more how
|this works?
This works if you have a 1-1 mapping client-server :)))) remember (as you
pointed out in another mail) we are stateless and have a n-1 relationship on
client-server (scalability).
So sometimes, brain-dead designs have good by products :)
But maybe your point is that EVEN in a 1-1 mapping there is no way to
authenticate the caller properly. I agree.
|2. JNDI lookup is not spec-compliant with EJB security. Consider
|the case where a client serializes the home interface handle, and a
|different client (with a different user) deserializes and uses it. This
|new user has unauthorized access.
|
|By the way, in my opinion the real overhead is in reauthenticating
|the client with each remote call--not the cost of transporting the
|principal and credential. To my knowledge, this can only be fixed
|with a session-based secure transport (e.g. SSL/TLS) and a
|"trusted client" token.
You know more than me
marc
|
|-Dan
|
|>
|> Has anyone considered this, which should have better performance can
|> passing the information with each invocation? Are there any drawbacks
|> to this approach?
|>
|> [ This idea came from John Ellis on the jonas-users mailing list,
|> message dated November 8, 2000. ]
|>
|> - Keith
|>
|> -----Original Message-----
|> From: Oleg Nitz <[EMAIL PROTECTED]>
|> To: jBoss <[EMAIL PROTECTED]>
|> Date: Monday, November 06, 2000 6:16 AM
|> Subject: Re: [jBoss-User] problem with ctx.getCallerPrincipal()
|>
|>
|> >Hi jBoss,
|> >
|> >Keith L. Musser wrote:
|> >KLM> For my application, my beans need to know who the end-user is.
|> When I
|> >KLM> call the "getCallerPrincipal()" method in the SessionContext or
|> >KLM> EntityContext, I receive "null".
|> >
|> >KLM> Does jBoss propagate the caller principal per the EJB spec?
|> >Yes.
|> >
|> >KLM> If so, how can my client set it initially?
|> >The simplest way: call
|> >org.jboss.system.SecurityAssociation.setPrincipal()
|> >on client.
|> >
|> >Other way: use JAAS, see
|> >http://www.mail-archive.com/[email protected]/msg04170.h
|> tml
|> >
|> >Sorry, the documentation on this topic is not ready yet.
|> >
|> >Best regards,
|> > Oleg
|> >
|> >
|> >
|> >
|> >--
|> >--------------------------------------------------------------
|> >To subscribe: [EMAIL PROTECTED]
|> >To unsubscribe: [EMAIL PROTECTED]
|> >Problems?: [EMAIL PROTECTED]
|> >
|> >
|>
|>
|>
|> --
|> --------------------------------------------------------------
|> To subscribe: [EMAIL PROTECTED]
|> To unsubscribe: [EMAIL PROTECTED]
|> Problems?: [EMAIL PROTECTED]
|>
|
|
|
|
|--
|--------------------------------------------------------------
|To subscribe: [EMAIL PROTECTED]
|To unsubscribe: [EMAIL PROTECTED]
|Problems?: [EMAIL PROTECTED]
|
|
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
