Basically, your servlet is a client to your EJBs.
With JBoss, if a client is doing an explicit JAAS login, the established
security context is propagated to the backend EJBs only if you have the JBoss
ClientLoginModule as part of your JAAS configuration.
I am assuming that you edited the login-config.xml fo JBoss to create your
"domain" JAAS configuration.
This configuration needs to look like that:
domain {
...... //Any other login module that you might require.
org.jboss.security.ClientLoginModule required;
};
The ClientLoginModule at the end of your JAAS module stack will basically make
sure that the security context is propagated to backend EJBs.
In your scenario:
#1 login
#2 call methods
#3 logout
If this is all one single HTTP request, then what you are doing is fine.
If the #2 must spawn multiple HTTP requests, it is definitely better to let the
container (Tomcat/JBoss) do the authentication for you through BASIC or FORM
based authentication.
Thomas
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3887785#3887785
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3887785
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
