OK, this is what I thought should happen (as from the JBoss online docs,
Ch9):
1. The client first has to perform a login to establish the principal
and credentials that will be used for authentication purposes. This entails
creating a LoginContext and passing the name of the configuration to use. In
the above figure the configuration name is "beanDomain". This is a one time
process that associates the login principal and credentials with all
subsequent EJB method invocations. Note that the login process may not
actually authenticate the user. It depends on the login module
configuration. In Figure 9.6. the beanDomain client side configuration is
using the ClientLoginModule(org.jboss.security.ClientLoginModule) and this
module does not perform client side authentication. It simply binds the
username and password to the JBoss EJB invocation layer for later
authentication on the server.
This seems to work via a client app, but not through a web interface (JSP
scriptlets/servlets/JavaBeans). So what extra config is necessary?
Btw, I'm using JBoss 2.4.9/Tomcat 4.0.4, if that matters.
> -----Original Message-----
> From: Joseph Pelle
> Sent: Monday, February 03, 2003 5:35 PM
> To: Jboss-User (E-mail)
> Subject: ejb tier security
>
> I'm a little lost on how authentication and authorization work for ejb
> level security when accessing the EJB methods from JSP/JavaBeans. For now
> let's assume that none of my web level stuff is restricted -- just the
> back end EJBs. Do I have to authenticate prior to any EJB call?
>
> I'm lost on the lifecylce of the login module. I gather it gets created
> when I create the login context and login. It also appears (based on my
> tests with a client app, as opposed to a web interface), that the login
> context instance can go out of scope and yet the user is still considered
> logged in. eg.
>
> {
> LoginContext lc = new LoginContext ("other", cbh);
> lc.login();
> }
> {
> // restricted method.
> ejbHome.findAll ();
> // Provided my cbh returns a valid user/password for 'other', this
> succeeds. Note, lc is out of scope.
> }
>
> I bring this up because when I use the web interface, I login based on a
> form that is processed by a servlet or a JavaBean, then I load up another
> JSP that uses a JavaBean to do the (eg.) ejbHome.findAll(). In this case,
> I get a security error because it thinks the Principal is null (and a null
> Principal doesn't have permission to do a findAll()). So I figured
> something needs to stick around else the Principal is set back to null.
> Obviously it isn't the LoginContext, or my client 'example' wouldn't work.
>
> I had thought that once the LoginContext set up the LoginModule, the
> module would stick around until logged out explicitly, but I guess not?
>
> So, to sum up, why does my Principal get set back to null? How do I set
> up my web interface so that a user only has to (explicitly) log in once?
> Do I have to authenticate prior to ejb calls (on different pages/scopes)?
>
>
> >> > > > > > > > HP OpenView Portfolio Partner >
> > > >
>
> Joseph Pelle Voice: +1-604-205-9941 x5960
> Software Designer
>
> Altus Solutions Inc. Fax: +1-604-205-9940
> 250-4190 Still Creek Drive
> [EMAIL PROTECTED]
> Burnaby, BC, V5C 6C6, Canada www.altus-solutions.com
>
> >> > > > > > > > Real Solutions, Real TimeTM
> > > > >
>
>
>
>
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
