Hi Phillipe and John,
thank you for the great document, it explained a lot. One first impression
is that the current implementation of the security authentication is very
Tomcat specific, but once the client call gets past the authentication and
the security context is set, everything else (methos level access checks) is
managed by Jonas and therefore is transparent for the application. John, I
would be interested in seeing your design if it is available, because the
JNDI authentication seems to be more generic and should work with different
types of clients. Phillip, what are your expectations in how Jonas
team/application developer will provide security features for different
types of clients (fat client, different web server)?
Thanks,
Miro Halas
Miroslav Halas
Software Engineer
Compuware Corp.
15305 Dallas Parkway Suite 900
Addison, TX 75001
phone: 9720-960-0960
fax: 972-960-8489
email: [EMAIL PROTECTED]
-----Original Message-----
From: Philippe Coq [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 09, 2000 9:38 AM
To: John Ellis
Cc: jonas
Subject: Re: 2.1.1 Security Problem
John Ellis wrote:
>
> Christophe,
>
> Thanks for your reply, but I am still a bit confused. I was searching
<all> the
> source code to find where the propigation was being done. I couldn't find
it.
> Also, I am not as interested in making it work now (I have a workable
solution
> for the present) but in making sure I understand (and can maybe influence)
the
> eventual direction of authentication in JOnAS in general. It seems that
you are
> making the assumption that all clients are the source for the secrutiy and
are
> secure themselves (which is the case for a Tomcat client, but not a thick
Java
> Application client or an Applet). Another point of clarification is that
I
> don't care about security on methods, but I do care that the
> "getCallerPrincipal" call returns some valid and authenticated result.
These
> direct questions will address my concerns.
>
> 1. When does the SecuritySender and SecurityReceiver get called?
> 2. Is the SecurityContext kept with the bean for the life of
> the bean?
> 3. If this is all tied to threads, how would you handle the situation
> where a thick client logged in to a JNDI Context then passed that
> Context to another thread?
> 4. How does a client VM (seperate from the EJBServer) get the
> SecuritySender, or does it even need one?
>
> Thanks again,
>
> John
Hi John
you will find as attached file a description of how is propagated
the security context in JOnAS with Jeremie.
I hope it will help you.
Best regards,
--
Philippe
Philippe Coq Evidian Phone: (33) 04 76 29 78 49
Bull S.A - 1 rue de Provence - 38432 Echirolles Cedex France
Download our EJBServer at http://www.objectweb.org
----
To unsubscribe, send email to [EMAIL PROTECTED] and
include in the body of the message "unsubscribe jonas-users".
For general help, send email to [EMAIL PROTECTED] and
include in the body of the message "help".
