RE: [jBoss-User] RE: Security Problem: Use EJB to doauthentication

Thu, 01 Mar 2001 06:24:05 -0800 

Hi,

You are facing a bootstrap problem.
You should have secure and non-scure EJB's.
Logging in should be reachable for anybody, hence
creating your security service EJB should be a
non-secure EJB. Anything beyond the authorization
can be secure using the attributes you established
with your non-secure security EJB.

You can create secure and unsecure EJB's in the
standardjboss.xml, but you have probably figured
that out.

Regards,

  Cor.

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Willie Vu
Sent: Thursday, March 01, 2001 14:40
To: [EMAIL PROTECTED]
Subject: [jBoss-User] RE: Security Problem: Use EJB to do authentication


I want to develop a secured application with Tomcat (v3.2.1) that 
stands as an EJB client but where the security is managed by the 
EJB container.  I use the BASIC authentication method to let the 
web browser get the user and password.  I wrote a 
RequestInterceptor, similar to JDBCRealm, that creates the 
security service EJB.  I also setup jBoss to use JAAS to protect 
my methods of the EJB.

When a user accesses a protected web resource, the web browser 
will prompt the user for user name and password.  Then, 
supposingly, the RequestInterceptor that I wrote will create the 
security service EJB and use it to authenticate the user.  My 
problem is that, when RequestInterceptor calls EJB's 
home.create(), jBoss' SecurityInterceptor jumps in to do 
authentication.  Well, since the web user hasn't logged in yet, 
the principal is always null when calling EJB's home.create().  
Authentication always fails.  I don't understand why JAAS 
protects EJB's home.create() method even though there is no 
method-permission setup for it.

In summary, I want to get a reference to the security service EJB 
in RequestInterceptor.  Then, when a web user wants to access 
protected web resource that accesses protected EJB methods, 
RequestInterceptor will use the security service EJB to do 
authentication and authorization.

Any help?

Thanks in advance.

Willie

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com



--
--------------------------------------------------------------
To subscribe:        [EMAIL PROTECTED]
To unsubscribe:      [EMAIL PROTECTED]
List Help?:          [EMAIL PROTECTED]




--
--------------------------------------------------------------
To subscribe:        [EMAIL PROTECTED]
To unsubscribe:      [EMAIL PROTECTED]
List Help?:          [EMAIL PROTECTED]

Reply via email to