Web Application Authentication seems to work fine - a client of mine is
using FORM based authentication for a simple app. I don't know what you mean
by "dynamic" identities - we store userid info in a relational db.
I have not checked the j2ee specs for required behaviour of non-Web
application clients - what do the specs say? However, I suspect the problem
may have to do with the RoleManager, which to my knowledge isn't
configurable at this time in Orion and relies on *.xml ("non-dynamic as in
rel. db"?) role definitions. You may want to try to use RoleManager.login
(instead of setting the JNDI properties) on your application client - I have
not tried it, so don't know wether this works. You may have noticed there is
no logout method specified - I don't know how a Web Session does that
internally (but it sure works)
--peter
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Tim Endres
Sent: Tuesday, June 12, 2001 10:51 AM
To: Orion-Interest
Subject: Re: Security bug with application clients?
> I think maybe I didn't make something clear. I am using a java
"application" client, NOT a web client. As such, I cannot invalidate
sessions, make posts, etc.
>
I will repeat that we have seen that Orion's InitialContext and Principal
identity
features do not work. They do not work in servlets, they do not work in
client apps.
They do not work for JMS. They do not work, Sam I am. We have given up on
using any
container authentication short of "guest". This is only for "dynamic"
identities.
It appears that static identity via the 'jndi.properties' file works ok.
> Orion seems to be written primarily as a web app server, and I have seen
very little information on using it as a direct application server (in Orion
literature or in the Oracle OC4J docs.) Since very few people are using
Orion in this way, I guess I should expect to see a few bugs here and there.
(I'm guessing that this is an application-client specific issue.)
>
We use Orion with standalone Java client applications. They work fine.
Except for authentication, which does not work.
