That makes sense, but its too bad that the original principal is lost.
Perhaps EJB2 needs the original caller's principal to verify the user has
permission to execute a particular method. I am referring to programmatic
security constraints and not the declaritive EJB constraints.
I don't see a simple (or difficult) way of providing both restricted bean
methods *and* programmatic constraints.
jim
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Scott M Stark
> Sent: Thursday, March 15, 2001 6:16 PM
> To: JBoss-User
> Subject: Re: [jBoss-User] Security
>
>
> There is nothing like a run-as tag in the jboss.xml descriptor.
> You would have
> to do a JAAS login/logout around the code in EJB1 that accesses EJB2 to
> establish the an alternate identity.
>
> ----- Original Message -----
> From: "James Cook" <[EMAIL PROTECTED]>
> To: "JBoss-User" <[EMAIL PROTECTED]>
> Sent: Thursday, March 15, 2001 2:38 PM
> Subject: Re: [jBoss-User] Security
>
>
> > I agree with the concept of security roles. Is there a way for
> EJB1 to forego
> > the user's credentials and adopt its own so it can access EJB2?
> Something like a
> > <run-as>?
> >
> > jim
> >
> >
>
>
>
>
> --
> --------------------------------------------------------------
> To subscribe: [EMAIL PROTECTED]
> To unsubscribe: [EMAIL PROTECTED]
>
>
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
