Thank you for being patient.
| StandaloneClient SecurityInterceptorOnServer
SecureResource
| | |
|
| | |
|
| |1) doJAASlogin() |
|
| | |
|
| |2) invokeSecureResource() |
|
| |---------------------------------------------->|
|
| | |
|
| | |
|
| |
|3)doJAASloginOnServer() |
| | |
|
| | |4)if valid/authorized,
let access |
| |
|---------------------------------------------->|
| | |
|
|
The diagram above is just a simplified view of the entities involved, please do
not go by the names.
Lets assume the following:
-------------------------
1) Only user(lets talk in terms of users instead of roles, for simplicity)
"abc123" is allowed to access the secure resource
2) You are using ClientLoginModule at the standalone client programatically and
UsersRolesLoginModule at the server(specified in jboss.xml) for securing the
resource.
Here's the flow of what happens:
- The StandaloneClient invokes the doJAASlogin method using username
"xyz"(invalid user) which uses ClientLoginModule to *populate the security
info*.
- The doJAASlogin internally invokes the LoginContext's login method and this
call to login succeeds even though the user is invalid. This is because you are
using ClientLoginModule which does no authentication.
- After login, the StandAloneClient tries to access a secure resource on the
server. It passes the security info which was created using the
ClientLoginModule. This security info includes the username "xyz"(invalid user)
- At this point the Security interceptor(or whatever you call this entity) on
the server comes into picture, since the resource is a secure one.
- The SecurityInterceptorOnServer will look at the jboss.xml to check the
security domain to be used for authenticating the user request. In our case we
have mentioned it as UsersRolesLoginModule (in our assumption #2).
- The SecurityInterceptorOnServer internally kicks off the authentication of
the user request passing it the security info which was passed on by the
StandAloneClient(this info includes the invalid username).
- During this process the UsersRolesLoginModule's login method is invoked. The
UsersRolesLoginModule uses the username "xyz" and tries to login. But since
this is not a valid user(remember as per assumption #1, valid username is
"abc123"), the login fails and a SecurityException is thrown.
- Hence access to secure resource fails at this point.
This is how the flow works while accessing a secure resource.
I have tried my best to explain the flow to you. However, if you still have
doubts about this, do let us know. Someone, if not me, will be able to help you
out.
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3978507#3978507
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3978507
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
