francis pouatcha wrote:
>
> Assaf Arkin wrote:
>
> > > No, it doesn't. But shouldn't it?
> > > JAAS deals with propagating sec. attrs. within an application. I believe
> > > that for JAAS to be semantically complete (even within J2SE, which includes
> > > RMI), it needs to be able to propagate sec. attrs. through RMI. Else, the
> > > semantics of an RMI-method call is inconsistent. When calling an RMI-method
> > > residing on the same VM the context is propagated, else it is not.
> >
> > For same-VM you can simply carry the AccessControlContext around (same
> > Subject).
> >
> > For remote methods, you can serialize the Subject send it along and have
> > it reauthenticated on the server side.
> >
>
> Why not serializing the whole AccessControllContext?
> JAAS isn't design for distribution. It is for intraVM authentication and
> authorisation.
Security. If you can serialize AccessConrollContext and deserialize it,
you might introduce ways to break security.
The AccessControlContext is build from the stack, accumulating
permissions and code bases as it goes along. You code is always in
control of where it is right now, but not in control of the top of the
stack. Serializing/deserializing allows you to get that control.
For example, if you are running under a specific permission available to
the Servlet container, serialize and deserialize in an EJB container,
you get that permission, that might not be applicable.
arkin
>
> --
> Francis Pouatcha
>
> MATHEMA Software GmbH
> http://www.mathema.de
>
> ===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
--
----------------------------------------------------------------------
Assaf Arkin www.exoffice.com
CTO, Exoffice Technologies, Inc. www.exolab.org
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
