Hi Toby
Thanks for your help, response/questions/gratitude below.
Edward
-----Original Message-----
From: Toby Allsopp [mailto:[EMAIL PROTECTED]]
Sent: 04 December 2000 18:54
To: jBoss
Subject: Re: [jBoss-User] Security
>Hi. It seems that security is something that is not widely used among
>the jBoss crowd. I've just started looking into this, so I might be
>wrong on some points.
>It sounds like you are coming from a WebLogic background (and your name
>sounds familiar from WL newsgroups), so there are some things you need
>to unlearn.
Heh, you must have a good memory, it's been a while since I posted there :-)
>1) The username and password you specify when creating an InitialContext
>have *nothing* to do with authentication or authorisation for EJB
>access, only for JNDI access. I don't know if JNP has any security
>features at all.
Actually yes they do. This isn't part of the standard, true - hence my
question wrt jBoss, but it works like that with all the other AppServers
I've used.
>To make jBoss enforce security, you need to specify a security
>interceptor in your jboss.xml. The two tags are <authentication-module>
>and <role-mapping-manager>. They must both be present for the container
>configuration you're using. I've been using the JAAS stuff, so I have
>both of these set to java:/jaas/other. You can also use
>java:/EJBSecurityManager and java:/SimpleRealmMapping.
OK, will have to look more closely at this then.
>Basically, use the source. See
>org/jboss/ejb/plugins/SecurityInterceptor.java and
>org/jboss/security/*.java.
>What it comes down to is that you need to implemented your own security
>mechanisms for anything more that what the example implementations
>provide.
Do I take this to mean jBoss doesn't provide any security and you have to do
it yourself (jBoss just providing the hooks) or have I misunderstood ?
>I'd suggest reading up on JAAS and using that because it will
>be the standard soon.
OK will do. Thanks for the pointer.
>Regards,
>
>Toby.
"Kenworthy, Edward" wrote:
>
> Hi Guys
>
> My first post so treat me gently.
>
> How do i do security using jBoss ? I really need to know two parts (as
these
> are not defined in the EJB spec)
>
> 1) How do I setup a username and password when getting my initial context
?
> 2) How do I manage the user/passwords/roles that jBoss uses to
authenticate
> against ?
>
> I've had a look at the documentation, and there's nothing there :-(
>
> Edward
--
Toby Allsopp
Research
Peace Software International Ltd
Ph +64-9-3730400
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
