Hi, In one of our applications we have used the following architecture (this works only in *intranet*)
1) Expose a servlet called authenticate using jCIFS (http://jcifs.samba.org/). This servlet gets the NTLM user credentials and check for authentication against database. If the user is allowed, then returns a sessionId, else returns a error message. 2) All SOAP methods expect session id as one of the arguments. The server code checks the submitted sessionId against stored list of sessionIds. If the submitted sessionId is valid, then proceed to do the business logic, else return an error. 3) C# client calls authenticate servlet and gets a valid session Id and the client submits this session for each SOAP method call. 4) The server should also have own implementation of expiring the session after certain duration. We have used this logic in two of our projects and they are working fine with out any problem. -Sreedhar -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JAYARAM, Sujay, FM Sent: Friday, May 07, 2004 6:31 PM To: '[EMAIL PROTECTED]' Cc: BENVENUTTO, Simon, FM Subject: [JBoss-user] Security and C# clients Hi all, We are currently exposing session beans within JBoss as web services (using axis) to C# clients. We want to use the declarative syntax provided by J2EE within our beans' deployment descriptors and to use JAAS/JBoss security features - the problem is that there seems to be no standard mechanism for a C# client to provide it's credentials (that we know of) so that any beans with restricted role access can never be called (or rather these calls will return with security exception). Have other people solved this problem in any form? One thing we have looked at is writing an Interceptor which uses known 'user'/'password' parameters from the C# client and attempts to do a JAAS logon at a point in the call stack prior to the SecurityInterceptor, so as to assume the roles required by the bean we mean to call. However this still seems to fail :-( Any help with this would be appreciated. Thanks Sujay ************************************************************************ *********** The Royal Bank of Scotland plc. Registered in Scotland No 90312. Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB. Authorised and regulated by the Financial Services Authority This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer. Internet e-mails are not necessarily secure. The Royal Bank of Scotland plc does not accept responsibility for changes made to this message after it was sent. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by The Royal Bank of Scotland plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate. Visit our websites at: http://www.rbs.co.uk/CBFM http://www.rbsmarkets.com ************************************************************************ ******** ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user