Re: [JBoss-user] distributed security with JAAS

Wed, 13 Jun 2001 12:17:11 -0700 

With the 1.1 security model you would have to assign a role
like ReadOnly to those methods and you would have to assign
the ReadOnly role to the anonymous users.  An unauthenticated
user ends up passing a null principal and credential and this is
currently rejected before consulting the security manager and
in turn your login module. The next version will not make a check
for a null principal and will simply let the security manager decide
if this is valid or not.

What's the code snipet your trying to use in a servlet to set the
anonymous user that is not working? Most likely the problem
is classpath setup so show what exceptions are being generated.

----- Original Message ----- 
From: "Ernest Chen" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, June 13, 2001 8:41 AM
Subject: [JBoss-user] distributed security with JAAS


> Hi,
>  
> Hopefully someone can help me.
> 
> I have successfully deployed a web based admin tools in
> JBOSS-2.2.2_Tomcat-3.2.2 using Jaas based security.  My own UserLoginModule
> worked like a charm.  However other web applications and admin tools need to
> access the same set of secured EJBs, I've tried many times without success
> to have a mixed of secured and unsecured access to my beans from different
> web apps, what I basically need is to allow anonymous login for readonly
> access.  Does anyone have any clue what I should do?
>  
> My ideal set up would be as follows
> ===========================
>  
> [Tomcat] with public web applications (no security)   Machine 1.
>       |
> [[[jBoss]]] --> [custom jaas user login module] --> [Oracle DB]     Machine
> 2a, Machine 2b
>       |
> [Tomcat] with secured web applications for administrators   Machine 3
>  
> All my beans are secured using jaas:/custom.  I have created a standalone
> java application with hard-coded username/password and it connects well with
> JBoss, however the same code placed in a web application failed miserably.
> any idea?
>  
> Is it possible to secure all write methods but allow read methods to be
> public?
>  
> I know it's a lot of questions, thanks for your patience.
>  
> Ernest
>  
> P.S.  I'm pushing very hard for my company to standardize on jBoss,
> eventually if this application prevails the entire department of about 50
> engineers can become dedicated jBoss users.   - go jBoss
>  
> 


_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

Reply via email to