What I ended up doing, and I'm not sure this is the optimal solution, is I wrote a login handler that I then implement in my "unsecured" servlets.
The advantage is that this login handler can set the credentials as it needs, and then the servlet can act as a security proxy for incoming HTTP even though the HTTP is hitting unsecured pages. Since my servlet is the gateway, it always sets credentials for the eventual calls into the EJB tier. This seems to give me exactly the behavior my customer thinks he wants. ie. stuff coming in through SOAP can hit only those EJBs that are open to a SOAP_USER. thanks all\ dt View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3848976#3848976 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3848976 ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
