Hi.
I have a web application with it's own security managment (JAAS compatible). Whenever
an user logs on, a javax.security.auth.Subject will be stored in the current web
session. Now, I want to extend the web application with an EJB tier. In this EJB
tier, I would like to use the EJB security managment (declarative security,
getCallerPrincipal, isCallerInRole).
I followed the instructions in the JBoss documentation, ch. 11, "JAAS Based Security
in JBoss" and I managed to "secure" an EJB with the DatabaseServerLoginModule.
There is, however, just one problem: Right now, my web tier (which is the EJB client)
uses the class org.jboss.security.ClientLoginModule to propagate a login to JBoss. If
both, login and the call of an EJB business method, are in one single HTTP request,
everything works fine. If the EJB business method is called in a different (later)
request than the login, JBoss doesn't receive the Principal because both HTTP
requests are executed in different threads and therefore ClientLoginModule (and
SecurityAssociation) have no way to get the correct Principal for the HTTP request.
I guess, that I have to implement something like the following for every EJB call:
// - "something" will call org.jboss.security.ClientLoginModule
// - MyCallbackhandler supplies username and password for the Principal in
// the current session
loginContext = new LoginContext(
"something",
new MyCallbackhandler(session.getUser());
loginContext.login();
ejb1.businessMethod();
loginContext.logout();
Of course, this is rather ugly. Is there a recommended way or a "smarter" way to
associate an EJB call with an user information which is stored in a web session?
Martin
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
