After continuing doing some research on the subject, I am still coming back to the idea of using the principal to do that.
The main reason for me to do that is this is the only way I found to do something that have a chance to work on "all" (WebSphere, WebLogic and JBoss) application servers without being too much app server proprietary. Using the principal comes down to writing a specific JAAS login module that will create a custom principal with a session id. At least, a decent amount of code can be shared across the different app server, compared to an interceptor solution on JBoss, a work area one on WebSphere and not sure what on WebLogic (I did not find a way to do that in WebLogic except principal). When you said that coupling this with the security context did not make sense, is it just from a pure architecture point of view or do you foresee some potential problems? I did not do enough testing yet, but the following areas might cause some issues with the principal solution: 1) Cluster environment. Is the principal fully replicated in a cluster environment (so session id is replicated with it)? 2) Cached principal timeout. What does it mean for the associated session if authentication is performed again (and potentially a new session id is created). 3) Is it possible that in some application server the principal returned by EJBContext.getCallerPrincipal is shared between all the sessions that have been authenticated with the same user id and password? After all, this principal is used only to figure out roles memberships so it should not be a problem if it is shared. Thomas View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3864014#3864014 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3864014 ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ JBoss-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/jboss-user
