I never created a patch for JBoss before, but I will give it a try. I also would like the solution to be complete and work when using a web client going through a servlet.
Here is what I did so far: 1) Create a simple servlet that is deployed under the same JAAS security domain as my EJBs and using BASIC authentication. 2) With the default bundled tomcat configuration, it seems that the identity is automatically propagated to the EJBs (thanks to org.jboss.web.tomcat.security.SecurityAssociationValve). 3) But I am facing the same problem that I initially have with my EJB client: if two users are login through the web browser using the same user name and password, although they will be seen as two separate HTTP session, they will share the same principal object in the EJB layers. Contrary to the EJB client case, I cannot have a custom client login module to create a custom principal. And the web UI is not going to do anything like that for me either. Ideally, I'd like to be able to "add" the HTTP session id as part of the principal to make it unique for each client authentication. But I am not very clear on how I can do such thing (because of my misunderstanding of the overall flow between tomcat and JBoss). Do I need to create my own org.jboss.web.tomcat.security.SecurityAssociationValve in order to do that? Is this valve invoked before the JAAS authentication is done? Who is actually calling the JAAS authentication mechanism? JBossSecurityMgrRealm? If yes, I did not see it configured in any of the tomcat configuration file. Thomas View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3878210#3878210 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3878210 ------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user