I think this should be my last question.... ;)
When you use the LoginContext to login on the client side,
it logs you in, but for how long? Until the life of the
method, as long as the LoginContext has scope?
I am assuming that while you are logged in(depending on
the answer from the question above) all ejb calls will
be tied to that user.
I am really interested in find out how JAAS does what it
does. I can understand get an instance to a LoginContext
and calling a login method but how can all subsequent calls
be sent out by that user without being wrapped in some other
interface. etc. Seems like there would have to be a security
server on the client side?
Once logged in, when requests hit jboss, they have username and
password attached so that jBoss will then run it through which
ever loginModule that you have attached. This is assuming that
each request must go through the login module, if not how
is caching implemented?
Thanks
Oleg Nitz wrote:
>
> On Saturday 20 January 2001 23:52, Ferguson, Doug wrote:
> > I think this jaas stuff is slowly starting to unravel
> > for me.
> Good :-)
>
> > Is the loginModule is the thing that is pointed to via
> > Auth.conf?
> Yes.
>
> > Where can I find info on writing LoginModules?
> In JAAS documentaion, http://java.sun.com/products/jaas
>
> > You said that names are passed as parameters to the
> > login module. This would be in the client code?
> No, I meant the parameters of the login module in auth.conf.
> Usually they are called "options", sorry for wrong terminology.
>
> > I've seen one example of a client that used jaas and it
> > has to create a CallbackHander to pass into the LoginContext.
> > Is there a concrete implementation of CallbackHandler included
> > with jBoss or will I need to write my own?
> No, you need to write your own, it is a client application specific
> thing by definition.
>
> > Also, since the current DB scheme doesn't support roles, does it
> > just restrict users that can't authenticate from calling any
> > method?
> If you aren't authenticated, you can't call methods.
> If you are authenticated, you can call any method in the bean,
> for which ejb-jar.xml doesn't define any roles. If roles are defined,
> you cannot call methods at all.
>
> Regards,
> Oleg
--
Doug Ferguson
Software Developer
www.coremetrics.com
512-342-2623x212
512-619-9972(cell)
