On Tuesday 23 January 2001 00:16, Scott M Stark wrote:
> It logs you in for the lifetime of the VM or until you login as
> someone else. One problem with the current client side login module
> is that logout is a no-op so that if you do logout, you still the
> username and credentials of the previous login active.
>
> Is there a reason the logout method does not clear the current
> SecurityAssociation as is done in the abort method?
No. Feel free to change this.
Regards,
Oleg
>
> public class ClientLoginModule implements LoginModule {
> ....
> /**
> * Method to abort the authentication process (phase 2).
> */
> public boolean abort() throws LoginException {
> SecurityAssociation.setPrincipal(null);
> SecurityAssociation.setCredential(null);
> return true;
> }
>
> public boolean logout() throws LoginException {
> return true;
> }
> }
> ----- Original Message -----
> From: "dferugson" <[EMAIL PROTECTED]>
> To: "Oleg Nitz" <[EMAIL PROTECTED]>; "jBoss Developer"
> <[EMAIL PROTECTED]> Sent: Monday, January 22, 2001
> 1:55 PM
> Subject: [jBoss-Dev] Re: [jBoss-User] jaas
>
> > I think this should be my last question.... ;)
> >
> > When you use the LoginContext to login on the client side,
> > it logs you in, but for how long? Until the life of the
> > method, as long as the LoginContext has scope?
> >
> > I am assuming that while you are logged in(depending on
> > the answer from the question above) all ejb calls will
> > be tied to that user.
> >
> > I am really interested in find out how JAAS does what it
> > does. I can understand get an instance to a LoginContext
> > and calling a login method but how can all subsequent calls
> > be sent out by that user without being wrapped in some other
> > interface. etc. Seems like there would have to be a security
> > server on the client side?
> >
> > Once logged in, when requests hit jboss, they have username and
> > password attached so that jBoss will then run it through which
> > ever loginModule that you have attached. This is assuming that
> > each request must go through the login module, if not how
> > is caching implemented?
> >
> > Thanks
> >
> > Oleg Nitz wrote:
> > > On Saturday 20 January 2001 23:52, Ferguson, Doug wrote:
> > > > I think this jaas stuff is slowly starting to unravel
> > > > for me.
> > >
> > > Good :-)
> > >
> > > > Is the loginModule is the thing that is pointed to via
> > > > Auth.conf?
> > >
> > > Yes.
> > >
> > > > Where can I find info on writing LoginModules?
> > >
> > > In JAAS documentaion, http://java.sun.com/products/jaas
> > >
> > > > You said that names are passed as parameters to the
> > > > login module. This would be in the client code?
> > >
> > > No, I meant the parameters of the login module in auth.conf.
> > > Usually they are called "options", sorry for wrong terminology.
> > >
> > > > I've seen one example of a client that used jaas and it
> > > > has to create a CallbackHander to pass into the LoginContext.
> > > > Is there a concrete implementation of CallbackHandler
> > > > included with jBoss or will I need to write my own?
> > >
> > > No, you need to write your own, it is a client application
> > > specific thing by definition.
> > >
> > > > Also, since the current DB scheme doesn't support roles, does
> > > > it just restrict users that can't authenticate from calling
> > > > any method?
> > >
> > > If you aren't authenticated, you can't call methods.
> > > If you are authenticated, you can call any method in the bean,
> > > for which ejb-jar.xml doesn't define any roles. If roles are
> > > defined, you cannot call methods at all.
> > >
> > > Regards,
> > > Oleg
> >
> > --
> > Doug Ferguson
> > Software Developer
> > www.coremetrics.com
> > 512-342-2623x212
> > 512-619-9972(cell)
