Ah ha!
So what you're saying is wheras with WLS (and others) getting the
InitialContext and "logging on" to the AppServer is one step, the "proper"
way to do it in the future, when JAAS becomes part of the spec' (EJB2.1?) it
will be two step - get InitialContext then "log on" to the AppServer using
JAAS.
-----Original Message-----
From: Rickard �berg [mailto:[EMAIL PROTECTED]]
Sent: 05 December 2000 15:03
To: jBoss
Subject: Re: [jBoss-User] Security
"Kenworthy, Edward" wrote:
> Further to my previous emails I want to try and clarify something re
client.
>
> There are 4 parts to security.
>
> 1. Logging on the app server. This is done when you get the
InitialContext.
> The AppServer gets passed your username and password and authenticates
you.
> None of this is standardised. WLS for examples has you put the user name
and
> password in the hashtable you use to get your initial context and uses
some
> back-end mechanism for actually performing the authentication (an LDAP
> server in our case).
Note that this is only for accessing the JNDI namespace, and is not
really related to "logging on the app server" as such. That should be
done through JAAS if a non-proprietary mechanism is desired. It is also
possible to use web authentication for a standardised way of doing
authentication.
> 2. EJB beans getting hold of the caller principle. This is standardised.
But not how to set the caller principal.
> 3. Defining access controls to the EJBs in the XML deployment descriptor.
> This is standardised.
True.
> 4. Controlling access based on the group the username belongs to the
> beans/methods. This is not standardised.
True.
> As I understand it, JAAS is an API for the back-end, AppServer to Security
> Server interface (ie doesnt affect clients at all). IE it's the Java
world's
> version of LDAP.
JAAS is for client authentication too.
> So when Toby talks about implementing security managers etc etc etc he's
> basically talking about configuring the back-end schema (just as we do
with
> LDAP) ?
>
> Is that right ?
Yes, but your client should use JAAS to do the authentication.
Some vendors have used the JNDI context as a way to do client
authentication, but it's just a hack because of the lack of standardized
ways of doing it. Now that we have JAAS it should be deprecated ASAP.
/Rickard
--
Rickard �berg
Email: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
