"Kenworthy, Edward" wrote:
> Further to my previous emails I want to try and clarify something re client.
>
> There are 4 parts to security.
>
> 1. Logging on the app server. This is done when you get the InitialContext.
> The AppServer gets passed your username and password and authenticates you.
> None of this is standardised. WLS for examples has you put the user name and
> password in the hashtable you use to get your initial context and uses some
> back-end mechanism for actually performing the authentication (an LDAP
> server in our case).
Note that this is only for accessing the JNDI namespace, and is not
really related to "logging on the app server" as such. That should be
done through JAAS if a non-proprietary mechanism is desired. It is also
possible to use web authentication for a standardised way of doing
authentication.
> 2. EJB beans getting hold of the caller principle. This is standardised.
But not how to set the caller principal.
> 3. Defining access controls to the EJBs in the XML deployment descriptor.
> This is standardised.
True.
> 4. Controlling access based on the group the username belongs to the
> beans/methods. This is not standardised.
True.
> As I understand it, JAAS is an API for the back-end, AppServer to Security
> Server interface (ie doesnt affect clients at all). IE it's the Java world's
> version of LDAP.
JAAS is for client authentication too.
> So when Toby talks about implementing security managers etc etc etc he's
> basically talking about configuring the back-end schema (just as we do with
> LDAP) ?
>
> Is that right ?
Yes, but your client should use JAAS to do the authentication.
Some vendors have used the JNDI context as a way to do client
authentication, but it's just a hack because of the lack of standardized
ways of doing it. Now that we have JAAS it should be deprecated ASAP.
/Rickard
--
Rickard �berg
Email: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
