Hm. Has anyone been successful in working under several security identities
from the same VM or thread on the client? I had problems doing so. I'm just
not sure, whether it is a bug in jBoss or it is meant to be so.
The problem is that when you login Administrator (has all privileges) and
then login some other user (who's not allowed to do everything), the latter
can do anything Administrator is allowed to. Because of this serious problem
we are currently incorporating security checks into lower presentation
layers (servlets), not into business layers (EJB).
Alexander Klyubin
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of dferugson
Sent: Monday, January 22, 2001 18:05
To: jBoss Developer
Subject: Re: [jBoss-Dev] jaas - commit()
Oleg Nitz wrote:
>
> Hi Doug,
>
> Ferguson, Doug wrote:
> > I am currently tryint to write a loginModule that
> > uses DBAuthentication and uses roles.
>
> > I was checking out the AbstractLoginModule class
> > and noticed that it just took the Subject reference
> > and added roles to it. Is this all that is necessary
> > to add roles to a user.
> Yes.
>
> > What is going on under the hood here. How does jBoss
> > get the subject back later?
> JBoss creates its own LoginContext, which runs server LoginModules.
> Upon successful authentication JBoss calls LoginContext.getSubject(),
> reads the set of public Credentials of the Subject and interprets it
> as a set of roles.
>
> > I.E. I thought rmi calls where pass by value.
> What do you mean?
> All that happens locally on the server, no RMI calls.
** Well, the subject gets passed from the client to jBoss(via rmi)
This would be pass by value, so when subsequent calls come through
I was just curious how jBoss keeps track of the authenticated
user/roles
Thanks.
--
Doug Ferguson
Software Developer
www.coremetrics.com
512-342-2623x212
512-619-9972(cell)
