This stuff is jboss 3/4 only, but should work fine in 3.0.2.
The CallerIdentityLoginModule is kind of between the ejb (or even jsp) part
of the app and the resource adapter/jdbc datasource. If you set up jca
(database, here) security using the JAAS framework, you use a login module
to supply the security info to the adapter. This login module can use
whatever means it wants to come up with a suitable Subject for the
ManagedConnectionFactory. Basically there are only 3 possible kinds: you
always use the same identity ("configured identity", which corresponds to
what you are using now"), the same identity as the user in the app ("caller
identity", which seems to be what you want) and mapping the app user
identity to something else (your choice how:-).
You should be able to set up the CallerIdentityLoginModule in jboss 3
without too much trouble. (I haven't tested it, but the guy who wrote it
did). You will need to set the pooling criteria to ByApplication. One
factor to be aware of with the current pooling implementation is that there
is one pool (using the min, max, etc parameters) for each distinct user.
You will probably want to set the pool size low and have a short idle
timeout. There is currently no global maximum on the number of pools.
(this wouldn't be hard to add, but I'm not sure of the most appropriate
logic).
So far this will work with any database. There is a concept in jca of
reauthentication, which sounds like pretty much what Oracle is supporting
here. So, I imagine you could write an Oracle specific jca wrapper that
supported reauthentication using this oracle specific feature. This would
let you use just one pool, avoiding the potential problem I mentioned
above. If you want to work on this I can try to give you some hints, and I
hope you would consider contributing the result: I think others could use
it as well.
Thanks
david jencks
On 2002.09.05 13:54:51 -0400 "Sonnek, Ryan" wrote:
> thanks for the quick reply! i'll try and clarify my situation.
>
> yes, this seems to be an EXTREMELY non standard request, and against a
> lot
> of what i believe to be so great about J2EE, but trying to appease some
> very
> difficult people.
>
> our current setup is that an application is deployed with an ldap
> security
> domain, so when a user accesses a web page, they'll be prompted for a
> username/password, and be logged in. from there, calling a stateless
> session bean to make the database connection and return certain results.
> the SLSB is looking up a datasource with a configured
> url/username/password
> to connect to the database. since the connection is made through this
> generic account, and records modified will show "generic user" as the
> audit
> user instead of the logged in person. is there any way to propogate the
> security credentials that the user logged in with to that database
> connection?
>
> i've been reading about oracles ability to use a "proxy authentication"
> to
> have one database connection but several individual sessions within that
> connection. when an insert/update/delete occurs, it happens within that
> session, and the audit user will reflect that.
>
> you lost me with the CallerIdentityLoginModule. what does that do again
> (how does jboss use it)??
>
> we're currently using jboss 2.4.6 w/ tomcat 4.0.1 and planning on
> upgrading
> sometime soon, so if this feature exists only in 3.0.x we'll definately
> be
> moving up ASAP.
>
> Ryan J. Sonnek
> Brown Printing Company
> IT Programmer/Analyst
> (507) 835-0803
> <mailto:[EMAIL PROTECTED]>
>
>
> -----Original Message-----
> From: David Jencks [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, September 05, 2002 12:35 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [JBoss-user] oracle proxy authentication
>
>
> This seems like a rather non standard feature. As I understand it from
> your description you can use the same database connection under several
> security identities? What calls do you need to make to establish the
> identity?
>
> How do you plan to use this in a j2ee environment?
>
> In jboss 3, it is already possible with any jdbc driver to get database
> connections using a variety of security identities, by using an
> appropriate
> login module. We supply a CallerIdentityLoginModule that provides the
> actual user/pw from application login to the database, and a
> ConfiguredIdentityLoginModule that always supplies the same user/pw. I
> have some parts of a mapping login module that looks up in a db table the
> db user/pw to use for each application user.
>
> Please explain how you want to use this Oracle feature.
>
> thanks
> david jencks
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone? Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> _______________________________________________
> JBoss-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/jboss-user
>
>
-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone? Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
