About integrating JAAS into EJB (J2EE),
What do JAAS deals with and where is it needed:
1)-->authentication could be needed for tow purposes:
1a) -->For getting security attributes of a user, that sits on a
machine in the intranet environment or in a managed extranet environment
(verry nice). J2EE solve this problem with the concept of application
components, that run in some kind of application containers provided by
the J2EE provider. JAAS provides clients with a nice way for
communicating user sec. attr. to their containers, and it is the corner
where we will need JAAS anyway.
1b)-->For solving the following form-based authentication
problem outlined by Laird:
<hint>
when using form-based authentication, you need some way for transmitting
the security attributes you got from the client to the web server
environment, so it can be asociated with the communication subsystem.
</hint>
<solution>
The JAAS's LogingContext.loging() method could be used to perform this
task.
</solution>
1c)-->But JAAS couldn't be used for getting security
attributes of a user that sits on a browser somewehre in the internet.
For this, we need some kind of HTTP authentication (basic, form, ssl).
2)-->authorization: checking whether a user is allowed to access some
resources. This is definitively not needed by the EJBServer, because the
EJB and the JAAS access controll logic are uncorrelated (I'm ready to
discuss that in detail).
3)--> JAAS doesn't deals with context propagation, so transmitting
security attributes from ejb clients (stand alone, servlets) to ejb
server couldn't be handled by JAAS.
In summary, let's say JAAS can be used for authentication when
implemeting J2EE Java-Clients.
So if you see any other integration point between EJB(J2EE) and JAAS, or
someting wrong in that countered above, let me know your opinion.
Thanks.
--
Francis Pouatcha
MATHEMA Software GmbH
http://www.mathema.de
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
