Further to my previous emails I want to try and clarify something re client.
There are 4 parts to security.
1. Logging on the app server. This is done when you get the InitialContext.
The AppServer gets passed your username and password and authenticates you.
None of this is standardised. WLS for examples has you put the user name and
password in the hashtable you use to get your initial context and uses some
back-end mechanism for actually performing the authentication (an LDAP
server in our case).
2. EJB beans getting hold of the caller principle. This is standardised.
3. Defining access controls to the EJBs in the XML deployment descriptor.
This is standardised.
4. Controlling access based on the group the username belongs to the
beans/methods. This is not standardised.
As I understand it, JAAS is an API for the back-end, AppServer to Security
Server interface (ie doesnt affect clients at all). IE it's the Java world's
version of LDAP.
So when Toby talks about implementing security managers etc etc etc he's
basically talking about configuring the back-end schema (just as we do with
LDAP) ?
Is that right ?
-----Original Message-----
From: Rickard �berg [mailto:[EMAIL PROTECTED]]
Sent: 05 December 2000 13:23
To: jBoss
Subject: Re: [jBoss-User] Security
Hi!
"Kenworthy, Edward" wrote:
> >1) The username and password you specify when creating an InitialContext
> >have *nothing* to do with authentication or authorisation for EJB
> >access, only for JNDI access. I don't know if JNP has any security
> >features at all.
>
> Actually yes they do. This isn't part of the standard, true - hence my
> question wrt jBoss, but it works like that with all the other AppServers
> I've used.
Which is Bad(tm). As Toby said, unlearn that practice ;-)
> >What it comes down to is that you need to implemented your own security
> >mechanisms for anything more that what the example implementations
> >provide.
>
> Do I take this to mean jBoss doesn't provide any security and you have to
do
> it yourself (jBoss just providing the hooks) or have I misunderstood ?
The thing is that this is pretty new functionality, and which hasn't
been properly documented yet. AFAICT (and I haven't used it myself)
there *is* security available if you want to use the default
implementation, which (AFAICT) is similar to the database realm in WL.
regards,
Rickard
--
Rickard �berg
Email: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
