Ah, ok, now I understand. Thanks.
Just one last question :-)
If I do what Toby suggested in his original post, ie use JAAS and set the
two tags <authentication-module> and <role-mapping-manager> to
java:/jaas/other then have you any pointers to where I look to find out how
the client logs on, and how I manage users/passwords/roles. I'm reading my
way through the documentation available on the javasoft site,
http://java.sun.com/products/jaas/, but so far that seems to be focused on
a) general overview and justification and b) implementers of JAAS (but
perhaps I just haven't found the right bit yet).
Edward
-----Original Message-----
From: Rickard �berg [mailto:[EMAIL PROTECTED]]
Sent: 05 December 2000 15:30
To: jBoss
Subject: Re: [jBoss-User] Security
Hi!
"Kenworthy, Edward" wrote:
> Really ?
Really ;-)
> Wow and ouch, I thought it worked like this:
>
> 1/ get initial context, sets up caller principle.
> 2/ lookup bean.
> 3/ try and invoke a method, app server checks caller principle for
> permission.
>
> If it works like this, then passing around a reference isn't a problem as
it
> will use your permissions, not any associated with the reference.
Depends on what you mean by "sets up caller principal" (note spelling
BTW). What is it's scope? The thread? The JVM? The current context
classloader? The threadgroup? All valid options, in some sense, but with
wildly different semantics.
> Anyone, assuming you're right ;-), how do I "log-on" to the app server ?
1) Use some proprietary mechanism
2) Use J2EE-valid client containers, i.e. servlets, which has a standard
authentication method
3) Use JAAS
/Rickard
--
Rickard �berg
Email: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
