I've done this a couple of different ways. I do have a server side invocation
handler that can extract a Principal from the calling context to find an
identity, and then use JAAS to login to check your login credentials. My JNI
interface to PAM allows me to extract/create user and group Principals, put
those into a Subject and then doAs() from there. This is what you would use in
a complex application that needs absolute authentication control when a
credential change should disallow access instantly.
I predominately have no worries about "stolen remote objects" or revoked access
rights. And so single authentication is fine with me, and I use a factory
interface with a single method that I pass identity/credentials to with remote
call. The implementation of that interface uses JAAS to authenticate (I have a
LoginModule that uses JNI interfaces to PAM for *NIX auth that I "plugin" to the
server). If auth succeeds, execution continues to create an instance of the
service object (if needed it might be a singleton depending on the application)
and that is then wrapped by the authorization proxy object which is exported and
wrapped into a Leased smart proxy which thus has the remote reference to the
authorization proxy object on the server. That smart proxy is then what the
client uses.
Gregg Wonderly
On 8/9/2011 9:40 PM, Peter Firmstone wrote:
Gregg Wonderly wrote:
On 8/9/2011 7:57 PM, Peter Firmstone wrote:
I'm interested, I've been thinking about this too, what's your current service
interface?
The service interface is "the service interface". The mechanism just uses a
proxy, delegating object. Thus, if you currently have a service object, you
just create an instance of your security object, passing in the service
object, and then export the security object for remote use.
That keeps you from having to support a "single" role model by having that
codified into your application. Instead, the service can be deployed with an
arbitrarily complex authorization implementation making it quite flexible. You
can even use Configuration to specify the security implementation class.
Gregg Wonderly
So it implements the same interface as your service, but encapsulates it.
So how do you log in, how does it track users? I'm guessing it's got something
to do with associating threads.
Regards,
Peter.
