adogg, Option 1, is what I mentioned before. If at least one method of a bean is secured, then the whole bean must be covered by a security domain. As such, access to any method, will require a caller to be authenticated. Note this does not mean the caller has to be authorized, just athenticated. So your MBean must authenticate as a caller.
Option 2, makes the most sense to me. I have used this method before. As an aside, I solved a similar problem. I had a login module that needed to access a secured bean as part of the authentication/authorization process. However, the question remained how to A/A the login module. I developed a custom login module, and a package visible token object. A caller of my secured EJB had to be a member of the package in order to set the thread local token. That value was then sent to authentication layer as the password. Inside the custom login module (which was also a member of the package) the token was checked against the passed in password. Thus only a member of that package, and only the instance of that caller that set the token in that thread could have possibly been the one being authenticated. let me know if you need more details and good luck, cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3955096#3955096 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3955096 Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
