That's interesting, because it confirms what I was beginning to suspect,
namely that authentication doesn't occur at login (!) but only when you try
and do something. Perhaps "login" is a misnomer ? Something like "attach
security associaion to the current thread" would be better ;-)
-----Original Message-----
From: Scott M Stark [mailto:[EMAIL PROTECTED]]
Sent: 07 December 2000 05:03
To: jBoss
Subject: Re: [jBoss-User] Security
A little contribution to this security discussion. I have created a sequence
diagram showing
the steps involved with the client's setup of the security context used for
the jBoss
calls. This only includes the org.jboss.security.ClientLoginModule and the
diagram
shows that this module just sets up the jboss client side environment to
marshall the
Principal and password obtained from the CallbackHandler implemented by the
client application. Most likely one would have a second LoginModule
implementation
to validate the credentials rather than waiting for calls to fail when any
server side
LoginModule performs validation(at least I would).
One this I saw in going through the ClientLoginModule is that the logout()
method
does not clear the SecurityAssociation state as the abort() method does.
This means
that once the user has performed a login(), they remain that user for the
duration of
client, even after a logout(). Shouldn't logout() clear the
SecurityAssociation state as well?
PS, the list won't allow attachments to be sent so where should I place the
diagram? As
a documentation bug attachment?
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
