Shout Graphics -- Design wrote:
>
> Hi Phillipe (or anyone else),
>
> can you please explain exactly what SecurityServiceImpl does right now and
> how that does not allow security checking on non tomcat clients? Does
> SecurityServiceImpl currently grab the bean's security levels, and jonas
> users, but just not the client's levels? How does it get the levels of the
> caller? I am confused really as to the point at which everything hooks up
> and where in the container (EJB Server) the client's info is passed on. Or
> does my client have to call something in the server specifically?
>
> thanks,
>
> robert
Hi,
In the JOnAS White paper you will find a � about "Security Management"
http://www.objectweb.org/jonas/jonas_root/doc/JOnASWP.html#Security
it briefly describes the security management provided by JOnAS.
It is said that :
User authentification should be provided by the client of the EJB (e.g.
the Web server), which must initiate and propagate the security context
with calls to EJB.
look at the code of the Interceptor we provide for TOMCAT
(SecurityCtxInterceptorxx)
you can see the method authorize(Request req, Response response )
which is called when the TOMCAT athentication process has succeeded,
the code of this method consist to create a SecurityContext with the
principal:
SecurityContext ctx = new SecurityContext (principal.getName()) ;
and to associate this security context to the current thread:
SecurityCurrent current = SecurityCurrent.getCurrent () ;
current.setSecurityContext(ctx) ;
then, this security context will be automatically propagated with
the call to an EJB business method and the container will
be able to control if the principal has the permission for running the
method.
--
Philippe
Philippe Coq Evidian Phone: (33) 04 76 29 78 49
Bull S.A - 1 rue de Provence - 38432 Echirolles Cedex France
Download our EJBServer at http://www.objectweb.org
----
This list is cross-posted to two mail lists. To unsubscribe,
follow the instructions below for the list you subscribed to.
For objectweb.org: send email to [EMAIL PROTECTED] and
include in the body of the message "unsubscribe ejb-container-group".
For enhydra.org: send email to [EMAIL PROTECTED] and include
in the body of the message "unsubscribe ejb-container-group".
