> > This thema is in deed very confusing. Here my 2
> cents
> > ( though I use it with tomcat )
>
> lol, glad to hear that, im going nuts here :-)
Happened to me too... :) But 2 weekends of code diving
( recompiling security stuff myself with adding a LOT
of debug output to trace calls helped... )
> Did that, seems to work okay. Using a testclient
> from the
> prompt verifies that access to my ejb's are only
> allowed
> for the correct user/pass combo...
That's the way it works. it's good so :)
> hmmm perhaps im missing something here?! Do i have
> to
> specify allowed user/pass for both jetty ans jBoss??
> (sure hope not :-)
It depends on what you like to have. I have brain dead
securoty schema in my aplication ( big banks are
paranoid on security. )
I have EJB's , which manage users - one session bean,
and couple of entities. And my login module goes
to them to authenticate/authorize.
Of course those beans like to have valid user/pass.
I solved it following way:
I Created login module just for the backend, which
treats
null principal/credential as "nobody"/"nobody", and
alway adds role "nobody" to every user.
( Though JaasSecurityManager.java needed some
patching,
and I already forwarded this patch so Jboss team.
Hope to see it inside next release. )
This allows also anonymous access to beans for non
authenticated users ( they shall be able i.e. to
access stock quotes ), and of course login.
Then there is a separate login module ( and login
context ) just for the web - where it authenticates
against beans ( and has nobody/nobody permission on
them ), and after successfull authentication it stores
not the user name as credential ( it is not a primary
key in my schema ), but ID of principal bean.
and password.
After it is stored on session somewhere, every access
to beans gets those 2 things ( i.e 2/foobar )
attached, and it's authenticated against backend login
module. Unfortunately, here I had to go to database
directly, because trying to access those beans from
login module caused very deep recursion and crash.
( maybe I'll find a way to overcome this problem )
This login module performs role mapping, and then it
is stored in some kind of cache somewhere, and used on
subsequent invocations.
If you have simple setups, where you can go away with
just login name/password pair, you coud use
just one login module.
BUt remember, tomcat/jetty uses assigned roles for web
access only. Role mapping/authentication happens again
on every bean invocation.
I also used simplier schema for my JUnit tests - I
created a FakeLogin class, which instantiates
login context and logs me directly wiith desired user
ID and password.
( it goes directly to backend login module )
[do you have more insight in problem nbow :) ? ]
> Doing a session.invalidate has absolutely no effect!
> Doing a simple refresh after the invalidate will
> just
> bring up the page again, without prompting for
> user/pass!
Maybe it was cache?
> > You can also throw out any web-context login
> stuff,
> > and
> > obtain login context yourselves, provide necessary
> > callbacks and call login on context.
> > (just like in java client examples)
>
> Well, that should of cource work, but i the other
> thing
> should work... (i think?!?)
it does :)
regards,
=====
Konstantin Priblouda ( ko5tik ) Freelance Software developer
< http://www.pribluda.de > < play java games -> http://www.yook.de >
< render charts online -> http://www.pribluda.de/povray/ >
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
