Hi Arved,
> Although we have a single servlet front-end, and do programmatic
> usermanagement (including login), the actual user manager and role manager
> stuff all happens down in EJB-land (in a session bean being referenced from
> the servlet). So we do not use JNDI properties at all for authentication,
> except for some secondary application clients.
Are you saying that you simply ignore EJB-based permissions, and manage all
of the access internally in your session beans? This is the approach that I
want to take, but I want to be sure that only my servlets can actually get
to the methods that establish the "user session" upon which all else depends.
Or are you saying that the servlet hands requests to Session Beans, and then
the SBs are changing the principal via RoleManager.login()?
> So I'm sorry if I gave the wrong impression. Based on user input, the
> servlet is telling the EJB (and dependents) when usermanager things need to
> be done; the servlet is not actually doing that itself.
Again, are you using your own permission management, or are you using the
EJB permissions? Or are you just talking about user "management"
(add, remove, etc.)?
I am trying to establish user method permissions, not managing users, and I
can not get that to work at all.
> Incidentally, the JNDI lookup that works just fine here is precisely:
>
> roleManager = (RoleManager)new
> nitialContext().lookup( "java:comp/RoleManager" );
Ah! I will try that. Thanks.
> I might add that we are using the EJBUserManager, and we have found that the
> programmatic control of groups doesn't work properly, so we hacked a
> workaround (concern when updating or adding users). Otherwise everything
> described above is cool.
Well, this now suggests to me that you are using EJB permissions. Are you
calling RoleManager.login() to change the principal from what the servlet
had established via jndi.properties?
> Assuming you figure out the jndi.properties thing, then you ought to be able
> to obtain the principal name and the credentials (password) from the
> environment, and pass that info into a session bean that can actually do the
> usermanager and role manager stuff. IMO.
This is very confusing to me. If I have N users hitting 1 servlet, and that
servlet is establishing the principal from jndi.properties, how in the world
do I establish the user for EJB permissions? When that servlet accesses a
session bean, the SB will see the user from jndi.properties, not the user that
is driving the servlet. How do you work with that? RoleManager.login()?
In my opinion, this is one of the most critical and least understood aspects
of Orion, and the most poorly documented. I get the impression that no one is
doing any serious user management. Or they are not sharing how...
I would like to cut a check for Orion, but I need to confirm that it will
support our needs, and permissions and performance are the last things I
need to verify.
Thanks again,
tim.
