Ah ha! How is just as I start worrying about the next thing you manage to
answer it (in this case the inefficiency of authenticating on each method
call).
Thanks for all your help :-)
-----Original Message-----
From: Oleg Nitz [mailto:[EMAIL PROTECTED]]
Sent: 07 December 2000 10:06
To: jBoss
Subject: Re[2]: [jBoss-User] Security
Hi Edward,
Kenworthy, Edward wrote:
KE> That's interesting, because it confirms what I was beginning to suspect,
KE> namely that authentication doesn't occur at login (!) but only when you
try
KE> and do something. Perhaps "login" is a misnomer ? Something like "attach
KE> security associaion to the current thread" would be better ;-)
Authentication is performed on each method call. But the server
login module is called only on the first call, then user/password info
is put to the cache. For now the cache is never purge, but such
possibility should be added in the future.
Note: jBoss is stateless, in general it doesn't hold the list of users
than have logged in, and there is no such thing as user logout.
Thus, "login" is a misnomer from some point of view.
>From other it's not :-)
Best regards,
Oleg
KE> -----Original Message-----
KE> From: Scott M Stark [mailto:[EMAIL PROTECTED]]
KE> Sent: 07 December 2000 05:03
KE> To: jBoss
KE> Subject: Re: [jBoss-User] Security
KE> A little contribution to this security discussion. I have created a
sequence
KE> diagram showing
KE> the steps involved with the client's setup of the security context used
for
KE> the jBoss
KE> calls. This only includes the org.jboss.security.ClientLoginModule and
the
KE> diagram
KE> shows that this module just sets up the jboss client side environment to
KE> marshall the
KE> Principal and password obtained from the CallbackHandler implemented by
the
KE> client application. Most likely one would have a second LoginModule
KE> implementation
KE> to validate the credentials rather than waiting for calls to fail when
any
KE> server side
KE> LoginModule performs validation(at least I would).
KE> One this I saw in going through the ClientLoginModule is that the
logout()
KE> method
KE> does not clear the SecurityAssociation state as the abort() method does.
KE> This means
KE> that once the user has performed a login(), they remain that user for
the
KE> duration of
KE> client, even after a logout(). Shouldn't logout() clear the
KE> SecurityAssociation state as well?
KE> PS, the list won't allow attachments to be sent so where should I place
the
KE> diagram? As
KE> a documentation bug attachment?
KE> --
KE> --------------------------------------------------------------
KE> To subscribe: [EMAIL PROTECTED]
KE> To unsubscribe: [EMAIL PROTECTED]
KE> Problems?: [EMAIL PROTECTED]
KE> --
KE> --------------------------------------------------------------
KE> To subscribe: [EMAIL PROTECTED]
KE> To unsubscribe: [EMAIL PROTECTED]
KE> Problems?: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
