I'm running a Resin1.2.0 Webserver on the first machine, with a Resin JDBCRealm to authenticate the users. On the second machine there is a Jonas/Jeremie combination. To secure my JMS Subscribers, so that only the webserver-client or other programmatic allowed clients (and not everybody) can publish messages to the topics I think I can set a uid/pwd on the topic, so that should not be a problem. The access to methods of the EJB Beans can be secured with a assembly-descriptor with roles, etc. in the ejb-jar.xml But how can I tell Jonas, that a user, that has successfully logged in the Resin Realm is really a authenticated user...? I read all the security related docs of the jonas dist. and I saw that Jonas is using the jonas-users.properties file. But with 1000+ users you cannot add them all to this file by hand........ There is a jonas RequestInterceptor for Tomcat that maps the Tomcat-Realm users to jonas. But as I read, Jonas has still to provide its own user-list and does only compare if the Tomcat-User is in the necessary roles... So how should I go on? What is the easiest way make my EJB methods secure? Do I have to write my own SecurityModule for Jonas to read the users out of the same database like the resin realm does, and how do I then connect the resin users to the jonas users? Isn't there a way to share users accross resin and jonas? Only with one user-list/SecurityModule? Any help would be great! Regards, reto ---- To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "unsubscribe jonas-users". For general help, send email to [EMAIL PROTECTED] and include in the body of the message "help".
