> > JNDI does not authenticate the user. Once you get a reference you can
> > use it multiple times with different users.
> >
> > JAAS takes care of authenticating if you use multiple servers with
> > different credentials (see javax.security.auth.Subject to understand
> > how).
Let's make it aboslutely clear. No where in the specification does it
support authentication for the JNDI environment naming context. And
there's a reason for that, so don't expect to see JNDI authentication
being supported in the future.
The JNDI model does not authenticate the user making a call to a bean,
but the user who gets a reference to a bean. So as far as security goes,
it's one big security hole.
The JAAS model authenticates the user when the actual call is made,
enforcing security.
Of course the current JAAS 1.0 is incomplete in many ways, I grant you
that. So think of it as the basis, with better guidelines coming along
down the road.
> JAAS doesn't deal with sending security context to a server. JAAS can only associate
>a
> thread with multiples principals. So JAAS can't kow to which server request is being
<magic starts here>
Security context is somehow propagated between client and server. It
could be over IIOP (COS Security), it could be Kerberos, it could be
HTTP/SHTTP (e.g. XML-RPC), etc.
All these protocols allow sufficient information to be passed between
client and server. Assuming you have JAAS at both ends, you can
reauthenticate as needed (typically only once per user).
<magic ends here>
Example scenario. User logs into the Web server, HTTP authentication
kicks in, authenticates the user against JAAS. JAAS now has a
RoleCredential, CommonNamePrincipal, and Kerberos credential for that
user.
Web server makes call to EJB server over IIOP using Kerberos (just an
example). The credentials are passed from the client to the server. EJB
server uses Kerberos credentials to re-authenticate.
More complex example scenario. User 'Betty' from 'Acme.com' logs into
HTTP server and authenticates. An EJB bean is now called on a remote
server by some other company (ASP.com) under the account 'Acme.com-RnD'.
JAAS provides 'Betty' with the proper credentials to authenticate as
'Acme.com-RnD' (shared account) on ASP.com's EJB server.
arkin
> sent ("A" or to server "B") or which communication scheme is being used (RMI-IIOP or
> WLS-t3). The container implementor will for example call the
> Subject.getSubject().getPrincipal(...) to get the needed principal and sends it to
>the
> corresponding server.
>
> Finally, let's say JAAS will provide Java-clients with a portable way for
> communicating users security information to their containers.
>
> any comment?
>
> --
> Francis Pouatcha
>
> MATHEMA Software GmbH
> http://www.mathema.de
>
> ===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
--
----------------------------------------------------------------------
Assaf Arkin www.exoffice.com
CTO, Exoffice Technologies, Inc. www.exolab.org
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
