I am trying to get to grips with security issues with JBoss and in
particular how the getCallerPrincipal and isCallerInRole methods are used.
After going through various bits of fragemented documentation it appeared
that the best (preferred) way to authenticate callers would be external to
the beans in a servlet that then delegates the callers request to an EJB.
The only way I can see that authentication details can be propagated to the
EJB is through the InitialContext something like this:
Properties props = System.getProperties();
props.put(Context.SECURITY_PRINCIPAL, username);
props.put(Context.SECURITY_CREDENTIALS, role);
InitialContext ic = new InitialContext(props);
where username and role derived from a user database or suchlike.
I thought that the role would then correspond to the security-role and
method-permission entries in the ejb-jar.xml file but this doesn't seem to
be the case:
isCallerInRole always returns false and getCallerPrincipal throws a
"java.lang.IllegalStateException: No security context set"
Could anyone give me some info on how to set up a security context as my
take on it appears to be way out!
Cheers
Nick
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
