Actually I'll amend this question if I may :-)
I've read and understood all the JAAS stuff (Although it's not clear to me
how my LoginContext is bound to accessing the EJBs, as Rickard has asked
before, what is the scope ? Why quesiton is, what is the scope and how do I
set it ?).
So for example I now know that to logon I use:
Subject edward = new Subject();
edward.getPrincipals().add(new Principal("Customer"));
edward.getPublicCredentials().add("mypassword");
try
{
LoginContext edwardLC = new LoginContext("EdwardKenworthy",
edward);
LC.login();
}
catch (LoginException le)
{
// oops
}
However, if all I do is this then I get a "java.lang.SecurityException:
Unable to locate login configuration".
Which makes sense, but now we are into the realms of jBoss specifics. What
jBoss JAAS login configuration should I be using for my client ? And how do
I set it up ?
This then leads me onto a related question, for jBoss's implementation of
JAAS (org.jboss.security.JaasSecurity*.java), how do I manage (CRUD) users,
credentials(passwords) and roles ?
If there's any sample/test client and admin-client code (presumably you
wrote such things whilst implementing it) could you make the source
available so I can dissect it and work out what to do ? (You never know I
might even write it up as a HOWTO ;-)
Quivering in anticipation
Edward
-----Original Message-----
From: Kenworthy, Edward [mailto:[EMAIL PROTECTED]]
Sent: 06 December 2000 10:38
To: 'jBoss'
Subject: RE: [jBoss-User] Security
Ah, ok, now I understand. Thanks.
Just one last question :-)
If I do what Toby suggested in his original post, ie use JAAS and set the
two tags <authentication-module> and <role-mapping-manager> to
java:/jaas/other then have you any pointers to where I look to find out how
the client logs on, and how I manage users/passwords/roles. I'm reading my
way through the documentation available on the javasoft site,
http://java.sun.com/products/jaas/, but so far that seems to be focused on
a) general overview and justification and b) implementers of JAAS (but
perhaps I just haven't found the right bit yet).
Edward
-----Original Message-----
From: Rickard �berg [mailto:[EMAIL PROTECTED]]
Sent: 05 December 2000 15:30
To: jBoss
Subject: Re: [jBoss-User] Security
Hi!
"Kenworthy, Edward" wrote:
> Really ?
Really ;-)
> Wow and ouch, I thought it worked like this:
>
> 1/ get initial context, sets up caller principle.
> 2/ lookup bean.
> 3/ try and invoke a method, app server checks caller principle for
> permission.
>
> If it works like this, then passing around a reference isn't a problem as
it
> will use your permissions, not any associated with the reference.
Depends on what you mean by "sets up caller principal" (note spelling
BTW). What is it's scope? The thread? The JVM? The current context
classloader? The threadgroup? All valid options, in some sense, but with
wildly different semantics.
> Anyone, assuming you're right ;-), how do I "log-on" to the app server ?
1) Use some proprietary mechanism
2) Use J2EE-valid client containers, i.e. servlets, which has a standard
authentication method
3) Use JAAS
/Rickard
--
Rickard �berg
Email: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
