Hi. It seems that security is something that is not widely used among
the jBoss crowd. I've just started looking into this, so I might be
wrong on some points.
It sounds like you are coming from a WebLogic background (and your name
sounds familiar from WL newsgroups), so there are some things you need
to unlearn.
1) The username and password you specify when creating an InitialContext
have *nothing* to do with authentication or authorisation for EJB
access, only for JNDI access. I don't know if JNP has any security
features at all.
To make jBoss enforce security, you need to specify a security
interceptor in your jboss.xml. The two tags are <authentication-module>
and <role-mapping-manager>. They must both be present for the container
configuration you're using. I've been using the JAAS stuff, so I have
both of these set to java:/jaas/other. You can also use
java:/EJBSecurityManager and java:/SimpleRealmMapping.
Basically, use the source. See
org/jboss/ejb/plugins/SecurityInterceptor.java and
org/jboss/security/*.java.
What it comes down to is that you need to implemented your own security
mechanisms for anything more that what the example implementations
provide. I'd suggest reading up on JAAS and using that because it will
be the standard soon.
Regards,
Toby.
"Kenworthy, Edward" wrote:
>
> Hi Guys
>
> My first post so treat me gently.
>
> How do i do security using jBoss ? I really need to know two parts (as these
> are not defined in the EJB spec)
>
> 1) How do I setup a username and password when getting my initial context ?
> 2) How do I manage the user/passwords/roles that jBoss uses to authenticate
> against ?
>
> I've had a look at the documentation, and there's nothing there :-(
>
> Edward
--
Toby Allsopp
Research
Peace Software International Ltd
Ph +64-9-3730400
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
