See the JAAS tutorial:
http://www.jboss.org/documentation/HTML/ch11s83.html
----- Original Message -----
From: "Nick Taylor" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, June 18, 2001 4:36 AM
Subject: [JBoss-user] EJB and JBoss security
> I am trying to get to grips with security issues with JBoss and in
> particular how the getCallerPrincipal and isCallerInRole methods are used.
> After going through various bits of fragemented documentation it appeared
> that the best (preferred) way to authenticate callers would be external to
> the beans in a servlet that then delegates the callers request to an EJB.
> The only way I can see that authentication details can be propagated to the
> EJB is through the InitialContext something like this:
>
> Properties props = System.getProperties();
> props.put(Context.SECURITY_PRINCIPAL, username);
> props.put(Context.SECURITY_CREDENTIALS, role);
> InitialContext ic = new InitialContext(props);
>
> where username and role derived from a user database or suchlike.
>
> I thought that the role would then correspond to the security-role and
> method-permission entries in the ejb-jar.xml file but this doesn't seem to
> be the case:
> isCallerInRole always returns false and getCallerPrincipal throws a
> "java.lang.IllegalStateException: No security context set"
>
> Could anyone give me some info on how to set up a security context as my
> take on it appears to be way out!
>
> Cheers
> Nick
>
> _______________________________________________
> JBoss-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/jboss-user
>
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
