Then you have to behave as any other client
accessing a secured ejb, and
do a JAAS login. There will be no principal in general on an unsecured page
though.
xxxxxxxxxxxxxxxxxxxxxxxx Scott Stark Chief Technology
Officer JBoss Group, LLC xxxxxxxxxxxxxxxxxxxxxxxx
----- Original Message -----
Sent: Friday, January 10, 2003 3:48
PM
Subject: Re: [JBoss-user] How to use a
principal from a webapp for securing ejb calls
I may be going out on a limb here, but I think Sven's question may be along
the same lines of what I have been wondering about, which is:
If you do not lock down the servlets (i.e. no security) but you want to
collect username and credential information in the web layer, how do you
create and propagate the security context to the EJB layer from there ?
//Nicholas
Scott M Stark <[EMAIL PROTECTED]> wrote:
You
use the bundled Tomcat or Jetty containers and use the same
security-domain value in the ejbs as the web app and do nothing
else.
xxxxxxxxxxxxxxxxxxxxxxxx Scott Stark Chief Technology
Officer JBoss Group, LLC xxxxxxxxxxxxxxxxxxxxxxxx
-----
Original Message ----- From: "Scheil, Sven"
<[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent:
Friday, January 10, 2003 5:41 AM Subject: [JBoss-user] How to use a
principal from a webapp for securing ejb calls
> We have
developed a multitier app (cmdline clients, webclients, ejb business >
layer and db layer). Running all on a jboss 3.0.3; the webclients
are > developed using struts 1.1; the complete application can be put
in one ear > file. > > The access to the webbclients is
controlled by a form-based authentication > with a security-domai n
configured via login-config.xml: > > > > > ="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag =
"required"> > >
="dsJndiName">java:/CloudscapeDS > select > PASSWORD from PERSON p where
p.USERNAME=? and p.LOCKED=false > select > r.ROLE,'Roles' from
PERSON_ROLE_ROLE_PERSON_ROLE r, PERSON p where > p.USERNAME=? AND
p.PERSONNO=r.PERSON > >
> > > This works
all very well. > > Now we would like to use declarative
Security for our EJBs (with the same > realm). But we don't know how
to use the principal (we have in each request > of my webclients) to
authenticate agains t the ejb container. > > Do we have to
build our own Hashtable h with > > ... >
h.put(javax.naming.CONTEXT.SECURITY_PRINCIPAL ,
request.getUserPrincipal()); > ... > > ctx = new
InitialContext(h) > > and saving this ctx in a session
attribute of my webclient to use for > further lookups? >
> If this is the way, we become trouble with our implementation of
the > ServiceLocator pattern. Our ServiceLocator class is a Singelton
and results > the home interfaces of our EJBs. The InitialContext is
stored once in an > instance variable. > > Could anyone
give us a short description of the right way or send us an url > of an
example app? > > Thank you >
Sven
------------------------------------------------------- This
SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM +
LinuxWorld = Something 2 See! http://w
ww.vasoftware.com _______________________________________________ JBoss-user
mailing
list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Nicholas
Whitehead Home: (973) 377 9335 Cell: (201) 615 2716 Work: (212) 622
5639 [EMAIL PROTECTED]
|