You are correct, I am confused..... Let's say that I have two custom login modules:
- CustomClientLoginModule: used on the EJB client side to create the custom principal. - CustomServerLoginModule: used on the EJB server side to perform my custom authentication. In an EJB client/server mode, CustomClientLoginModule is used on the client JAAS configuration (as well as the JBoss ClientLoginModule) and CustomServerLoginModule is used on the server side (configured in conf/login-config.xml for example). Now, I am putting a servlet in front of my EJBs. The servlet is configured to use BASIC authentication. The first question is what should be the JAAS configuration to use. I would like the "real" authentication to be done by the web container (so I can check for roles in my servlet code). So the JAAS configuration of my servlet (security-domain in jboss-web.xml) should definitely use my CustomServerLoginModule (I think) and nothing else (or at least I do not think so). Granted, my CustomServerLoginModule can definitely create a custom principal than can be returned by the EJBContext.getCallerPrincipal. But it is done "too late" as this custom principal is not the one used by the security domain credential cache (it cannot be used to add a unique id that will make two principals with same user name and password different). I guess I am confused as where the code of my CustomClientLoginModule should go. I do not think it should be part of the servlet JAAS configuration, but may be I am wrong on that one. Still, it seems weird to stack in the same JAAS configuration my CustomClientLoginModule and CustomServerLoginModule. If this is what I have to do, it seems that it is still going to be too late (not the principal used as a key in the security domain cache). And what about the ClientLoginModule? It should probably not be used either as what it does for an EJB client is replaced by the org.jboss.web.tomcat.security.SecurityAssociationValve, if I am not mistaken. I am even more confused when I read some of the security post. It seems that if I want to use the FORM based authentication (instead of BASIC), then things are different. I will be the one coding the call to the LoginContext.login and it seems that I will have to use the ClientLoginModule somewhere.... Thomas View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3878231#3878231 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3878231 ------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
