Hey, In the JUnit runner, the method I use to get the code to authenticate to a named role I use a LoginModule that simply sets the role. No actual authentication takes place. I get the login module loaded by setting the login configuration system property before I create the InitialContext.
Just a question about this. 1. Once OpenEJB initialized, is it possible to load more login modules? In other words, does it create new LoginContexts during the runtime of OpenEJB? 2. If the openejb-junit JAR had to be on the classpath, can you think of anyway this login module can be used to authenticate against any chosen role? I'm basically trying to determine the security risks of having this module in your classpath. If it's a risk I would need to find a better way of doing the "fake authentication". The only way I could think of is if the login module was explicitly loaded at STARTUP? And after startup this is impossible? Quintin Beukes ---------- Forwarded message ---------- From: Quintin Beukes <[email protected]> Date: Tue, Sep 29, 2009 at 5:46 PM Subject: Question To: Quintin Beukes <[email protected]> JUnit runner's login module. is it a risk in an appserver or a client where it's merely included in the classpath. Can it be (1) deliberate loading, or can't this happen once the real ones were loaded (2) automatic loading from CP scanning Quintin Beukes
