On Fri, 5 Apr 2002, Jason Owens wrote:
> Date: Fri, 5 Apr 2002 01:28:28 -0800
> From: Jason Owens <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Security Propagation
>
> I'm interfacing a servlet-based front end to an EJB back end (isn't
> everybody?) using tomcat + jboss. My issue is that I need to
> authenticate using my EJB security bean, but I want to associate the
> resulting subject with the users session in tomcat (as if I had
> performed container authentication). Are custom realms the ONLY way to
> do this (ugh)?
I don't know the JBoss integration code, but I imagine the answer would be
"yes", since you're trying to manage the Principals that Tomcat uses to
make security decisions.
> Is there any way to cache the subject in the session, and
> just somehow associate it with the thread's security context (sounds
> like this would be easier) when processing? I haven't found any good
> docs on writing a custom realm, has anyone written any?
>
Best bet is to look at the existing examples, like JDBCRealm and
JNDIRealm.
However, to store stuff in the user session, you'll probably need to write
custom Authenticator subclasses as well. Realms don't have access to
anything about the current request or session.
> Any help/pointers/solutions will be appreciated. Thanks
>
I suppose there is some reason that standard container managed security is
not sufficient ...
> -Jason
Craig
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
