A little contribution to this security discussion. I have created a sequence diagram
showing
the steps involved with the client's setup of the security context used for the jBoss
calls. This only includes the org.jboss.security.ClientLoginModule and the diagram
shows that this module just sets up the jboss client side environment to marshall the
Principal and password obtained from the CallbackHandler implemented by the
client application. Most likely one would have a second LoginModule implementation
to validate the credentials rather than waiting for calls to fail when any server side
LoginModule performs validation(at least I would).
One this I saw in going through the ClientLoginModule is that the logout() method
does not clear the SecurityAssociation state as the abort() method does. This means
that once the user has performed a login(), they remain that user for the duration of
client, even after a logout(). Shouldn't logout() clear the SecurityAssociation state
as well?
PS, the list won't allow attachments to be sent so where should I place the diagram? As
a documentation bug attachment?
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
