CMA is Container Managed Security. It's implementation will vary from
container to container. It is not tied to EJBs in any way shape or
form. What it is ... is simply ... container-managed security :-) The
container manages the login.
- user asks for a page with restricted access (configured in web.xml)
- server saves request
- server presents user with login page
- user submits login
- server processes login
- server replays initial request made by user
For "server processes login", the server would (depending on how you
configured it; different options may be available from different
vendors): check a database, do a JNDI lookup (LDAP), or <something
else>. Tomcat supports JDBC, JNDI, flat-file, and ... I think it
provides another one now, though what it is escapes me.
Sounds to me like CMA may not quite work for you, unless you implemented
a custom realm (don't know if your container supports this; Tomcat
does). You're saying that the cookie is a prompt to begin a login for a
specific user. I guess it's not so bad if you're not including their
password; I'd try to go for a userid instead if you could -- much less
recognizable and identifyable. Sorry I came off like a "loose cannon"
;-) I do that sometimes, but my heart is in the right spot. I just had
to see people use practices that might cause (even more) people to
disable cookies out of paranoia.
CMA != EJB
CMA != Full-Fledged J2EE Server (ie JBoss)
I believe this is a servlet specification. Therefore, any servlet
container should provide you with a way to configure it. Of course,
there will be as many different ways to configure it as there are
vendors of servlet containers :-/ ... but that's what happens when you
don't set a standard for something.
Siong Chan wrote:
> Hi Eddie and Dimitar..
>
> Thanks for your responses. I realise that using cookies isn't the
> most secure thing to do, however, this is a restriction that has been
> placed upon us from the server that is redirecting the call to us.
> However, we actually only keep the username and some other information
> (not password) in the cookie and then our server will need to perform
> a server to server SOAP message to authorise the userid with the
> originating server.
>
> BTW, Eddie, is your CMA specifically the EJB container users/roles?
> Does the web container allow CMA?
>
> Dimitar...your idea to forward directly to an action worked. Thanks!
>
> Cheers!
> Siong
--
Eddie Bush
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
