I want to develop a secured application with Tomcat (v3.2.1) that stands as an EJB client but where the security is managed by the EJB container. I use the BASIC authentication method to let the web browser get the user and password. I wrote a RequestInterceptor, similar to JDBCRealm, that creates the security service EJB. I also setup jBoss to use JAAS to protect my methods of the EJB. When a user accesses a protected web resource, the web browser will prompt the user for user name and password. Then, supposingly, the RequestInterceptor that I wrote will create the security service EJB and use it to authenticate the user. My problem is that, when RequestInterceptor calls EJB's home.create(), jBoss' SecurityInterceptor jumps in to do authentication. Well, since the web user hasn't logged in yet, the principal is always null when calling EJB's home.create(). Authentication always fails. I don't understand why JAAS protects EJB's home.create() method even though there is no method-permission setup for it. In summary, I want to get a reference to the security service EJB in RequestInterceptor. Then, when a web user wants to access protected web resource that accesses protected EJB methods, RequestInterceptor will use the security service EJB to do authentication and authorization. Any help? Thanks in advance. Willie _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- -------------------------------------------------------------- To subscribe: [EMAIL PROTECTED] To unsubscribe: [EMAIL PROTECTED] List Help?: [EMAIL PROTECTED]
