[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules

Tue, 18 Jul 2006 06:32:43 -0700 

Thanks for your patience as I know this may seem to some as straight forward. 

I have already succeeded in a previous project to use BASIC web authentication 
attached to a domain using the JBoss UsersRolesLoginModule. Only Customer and 
Admin roles can access specific web pages and then calls to remote EJBs are 
also restricted based on role.

Web.xml:
  |  
  |     <security-role>
  |       <role-name>admin</role-name>
  |     </security-role>
  |     <security-role>
  |       <role-name>customer</role-name>
  |     </security-role>
  | 
  |    <login-config>
  |         <auth-method>BASIC</auth-method>
  |         <realm-name>BankDomain</realm-name>
  |     </login-config>
  | 
  | 
  | 


JBoss-web.xml:
  | <?xml version="1.0" encoding="UTF-8"?>
  | <jboss-web>
  |   <security-domain 
flushOnSessionInvalidation="false">java:/jaas/BankDomain</security-domain>
  |   <context-root>/bank</context-root>
  | </jboss-web>

JBoss.xml:
  | <jboss>
  |     <security-domain>java:/jaas/BankDomain</security-domain>
  | </jboss>


The target bean is the same remote stateless session bean, BankMgr, which uses 
the Caller Principle in the way you mentioned:

   public CustomerData getMyData() throws bank.BankException {
  |         Principal p = context.getCallerPrincipal();
  |         String userN = p.getName();
  |         if (userN.equalsIgnoreCase("ANONYMOUS") || 
userN.equalsIgnoreCase("GUEST")) {
  |             throw new BankException("BankMgrBean: getMyData - User not 
logged in");
  |         }
  |         int pUserId = Integer.parseInt(userN);

However, what I wanted to show in this Proof of Concept (PoC) project was that 
client authentication could be executed independently from server side resource 
control e.g. bean method execution. Such a scenario would occur if 
authentication of the client is not under your control however authorisation to 
use server side (remote) resources are. Thus, I can not use the same security 
realm for both the client and server resources.

Thanks again for your help.

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958791#3958791

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958791
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user

Reply via email to