"Scott M Stark" <[EMAIL PROTECTED]> wrote:
> Even if an application server does support JAAS there will be
> application server specific code to translate from JAAS Subject to
> what the Subject state means in terms of the caller principal and
> the principal roles because there is no standard for how J2EE
> security can be implemented in terms of JAAS classes.
OK, it's not posslible. It's a pitty that EJB actually seems to be
clearly underspecified... but it is, so I'll have to handle that.
> > > No, logins have to be done in the thread that is making the
> > > request. Since your an EJB client that is a multi-threaded
> > > server, you have to establish the client identity on each
> > > request since you have no control over how thread pooling
> > > assigns threads to servlet requests.
> >
> > As mentioned above, I'm in the happy situation that there are only
> > two servlets that dispatch *everything*. So that's what I'll do
> > now: I login at the beginning of the init() and service() methods
> > and logout in a finally block. Will this work as expected?
> >
> Yes because you are establishing the user identity every time in
> each request thread.
I'll do that then and hope, that this does't cost too much
performance. But I think it won't.
> [a question on how JAAS works and the answer]
Thanx very much! I have now several ideas on how to proceed! :-)))
--
(o_ Raffael Herzog
//\ [EMAIL PROTECTED]
V_/_
May the penguin be with you!
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
