[JBoss-user] ejb tier security

Mon, 03 Feb 2003 17:57:26 -0800 

I'm a little lost on how authentication and authorization work for ejb level
security when accessing the EJB methods from JSP/JavaBeans.  For now let's
assume that none of my web level stuff is restricted -- just the back end
EJBs.  Do I have to authenticate prior to any EJB call?

I'm lost on the lifecylce of the login module.  I gather it gets created
when I create the login context and login.  It also appears (based on my
tests with a client app, as opposed to a web interface), that the login
context instance can go out of scope and yet the user is still considered
logged in.  eg.

{
LoginContext lc = new LoginContext ("other", cbh);
lc.login();
}
{
// restricted method.
ejbHome.findAll ();
// Provided my cbh returns a valid user/password for 'other', this succeeds.
Note, lc is out of scope.
}

I bring this up because when I use the web interface, I login based on a
form that is processed by a servlet or a JavaBean, then I load up another
JSP that uses a JavaBean to do the (eg.) ejbHome.findAll().  In this case, I
get a security error because it thinks the Principal is null (and a null
Principal doesn't have permission to do a findAll()).  So I figured
something needs to stick around else the Principal is set back to null.
Obviously it isn't the LoginContext, or my client 'example' wouldn't work.

I had thought that once the LoginContext set up the LoginModule, the module
would stick around until logged out explicitly, but I guess not?  

So, to sum up, why does my Principal get set back to null?  How do I set up
my web interface so that a user only has to (explicitly) log in once?  Do I
have to authenticate prior to ejb calls (on different pages/scopes)?


>> >  >   >    >     >      >       >  HP OpenView Portfolio Partner   >
>              >               >

Joseph Pelle                            Voice:  +1-604-205-9941 x5960
Software Designer                       

Altus Solutions Inc.                            Fax:    +1-604-205-9940
250-4190 Still Creek Drive
[EMAIL PROTECTED]
Burnaby, BC, V5C 6C6, Canada            www.altus-solutions.com

>> >  >   >    >     >      >       >     Real Solutions, Real TimeTM     >
>              >               >






-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user

Reply via email to