Hey
> David Gasul wrote:
> A client who wishes to execute some methods of an EJBean is supposed
> to perform the following:
> 1. To locate the Home Interface through JNDI;
> 2. To invoke a finder method to locate the object, or to create a new
> one;
> 3. To invoke the methods she wishes to invoke on that object.
1&2 can also be done by performing a method on another bean which
returns a reference to it, or by invoking getEJBObject on a Handle to
the desired object.
> The container must enforce access authorization to the bean's methods.
> So at the minimum the container needs the ID of the client (which
> better be an authenticated one).
Correct.
> Now, method calls are just RMI calls and to my knowledge, there's
> nothing in RMI to transparently and automatically identify the client.
Now we need to define things:
RMI - an interface with which we can make distributed invocations on
Java objects
JRMP - the default implementation, and wire protocol, of the RMI
interface, provided in the JDK from JavaSoft
So: in RMI there is no interface to define the calling client, and in
JRMP there is no *standard* support for transparent transfer of callers
identity.
However, it *is* possible to workaround the JRMP engine to provide
transparent parameters in RMI calls. One of these workarounds is
explained on my homepage (see URL below), but it uses internal API's
(which will "most likely" be public some day!). Another way to do this
is to layer RMI/JRMP with your own client and server proxies which add
these parameters. Such a solution is explained on
http://www.ejboss.org/nextgen.html.
Standardized support for identity transfer will come in JDK1.4 (or
whatever they'll call it) as outlined in the RMI-session during JavaOne
'99.
A standardized interface for client authentication is provided through
the JAAS API, and will most likely be packaged with J2EE in the next
version of the J2EE specification.
> It is true that the container is responsible to provide the BEAN with
> the caller's (read client) principal, but this is NOT the question -
> the question is how does the client identify herself to the
> server/container on each and every method invocation? (Otherwise she
> maight pass the object reference to someone who's prevented from
> access)
Currently, this is proprietary, and different to each vendor. Even if
IIOP is used, there is no standardized format for sending the identity
along with the IIOP calls. This will be standardized in EJB2.0.
>
> The spec is very unclear on this issue, so could somebody clarify the
> mystique?
No mystique. It's not there yet :-(
> Is there a STANDARD way of doing this (i.e. server/container
> transparent) or not?
Nope. No standard (yet).
Hope this clears the confusion...
/Rickard
--
Rickard �berg
@home: +46 13 177937
Email: [EMAIL PROTECTED]
Homepage: http://www-und.ida.liu.se/~ricob684
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
