>
> If I understand you right, I should override the
> getUsernameAndPassword() method of UsernamePasswordLoginModule and
> return new String[] { "guest", "guest" } if the callbackHandler is
> null instead of throwing an exception.
>
No, the UsernamePasswordLoginModule is typically used by the security domain
protecting your EJB to validate a username and password that has been
sent by a client. Your servlet(s) are the EJB clients that have to provide an
identity in order to access your secured EJBs.
Tobias Seeligner mentioned a better solution to having the user credentials passed
to JBoss EJBs. He created his own Interceptor that performs the binding of the
guest username and password using the SecurityAssociation class I mentioned.
This avoids having to have a JAAS login in your servlet request method and also
isolates the JBoss code to the Interceptor for use by all unsecured servlets.
> Or did you mean that I login Tomcat in the init methods of my servlets
> just as I do in a normal application? Doesn't this mean that the whole
> JVM is logged in (well, I could live with that, but still...)?
>
No, logins have to be done in the thread that is making the request. Since your
an EJB client that is a multi-threaded server, you have to establish the client
identity on each request since you have no control over how thread pooling
assigns threads to servlet requests.
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
