An unsecure web component must establish the caller identity on every
call to the component using the login as security is stateless. You have a
multi-threaded environment and you are only setting the caller identity for
the currently executing thread when you do a login. You should logout on
completion of the method, but it is not neccessary as the next login using
that thread will overwrite the previous caller context.
xxxxxxxxxxxxxxxxxxxxxxxx
Scott Stark
Chief Technology Officer
JBoss Group, LLC
xxxxxxxxxxxxxxxxxxxxxxxx
----- Original Message -----
From: "Joseph Pelle" <[EMAIL PROTECTED]>
To: "Jboss-User (E-mail)" <[EMAIL PROTECTED]>
Sent: Monday, February 03, 2003 5:35 PM
Subject: [JBoss-user] ejb tier security
> I'm a little lost on how authentication and authorization work for ejb level
> security when accessing the EJB methods from JSP/JavaBeans. For now let's
> assume that none of my web level stuff is restricted -- just the back end
> EJBs. Do I have to authenticate prior to any EJB call?
>
> I'm lost on the lifecylce of the login module. I gather it gets created
> when I create the login context and login. It also appears (based on my
> tests with a client app, as opposed to a web interface), that the login
> context instance can go out of scope and yet the user is still considered
> logged in. eg.
>
> {
> LoginContext lc = new LoginContext ("other", cbh);
> lc.login();
> }
> {
> // restricted method.
> ejbHome.findAll ();
> // Provided my cbh returns a valid user/password for 'other', this succeeds.
> Note, lc is out of scope.
> }
>
> I bring this up because when I use the web interface, I login based on a
> form that is processed by a servlet or a JavaBean, then I load up another
> JSP that uses a JavaBean to do the (eg.) ejbHome.findAll(). In this case, I
> get a security error because it thinks the Principal is null (and a null
> Principal doesn't have permission to do a findAll()). So I figured
> something needs to stick around else the Principal is set back to null.
> Obviously it isn't the LoginContext, or my client 'example' wouldn't work.
>
> I had thought that once the LoginContext set up the LoginModule, the module
> would stick around until logged out explicitly, but I guess not?
>
> So, to sum up, why does my Principal get set back to null? How do I set up
> my web interface so that a user only has to (explicitly) log in once? Do I
> have to authenticate prior to ejb calls (on different pages/scopes)?
>
>
> >> > > > > > > > HP OpenView Portfolio Partner >
> > > >
>
> Joseph Pelle Voice: +1-604-205-9941 x5960
> Software Designer
>
> Altus Solutions Inc. Fax: +1-604-205-9940
> 250-4190 Still Creek Drive
> [EMAIL PROTECTED]
> Burnaby, BC, V5C 6C6, Canada www.altus-solutions.com
>
> >> > > > > > > > Real Solutions, Real TimeTM >
> > > >
>
>
>
>
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> JBoss-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/jboss-user
>
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
