Please give more details. It is confusing to hear that it doesn't work when
in my case all works. I checked 3 different cases:
1) WEB authentication - OK,
2) application-clent with jndi.prop file - OK.
3) remote client with properties set via Initial Context
(+RMIInitialContextFactory instead of ClientInitialContextFact) - OK.
So what's the point?
> -----Original Message-----
> From: cybermaster [SMTP:[EMAIL PROTECTED]]
> Sent: &yod;&vav;&fmem; &resh;&bet;&yod;&ayin;&yod; 13 &yod;&vav;&nun;&yod; 2001 01:20
> To: Orion-Interest
> Subject: RE: Security bug with application clients?
>
> Web Application Authentication seems to work fine - a client of mine is
> using FORM based authentication for a simple app. I don't know what you
> mean
> by "dynamic" identities - we store userid info in a relational db.
>
> I have not checked the j2ee specs for required behaviour of non-Web
> application clients - what do the specs say? However, I suspect the
> problem
> may have to do with the RoleManager, which to my knowledge isn't
> configurable at this time in Orion and relies on *.xml ("non-dynamic as in
> rel. db"?) role definitions. You may want to try to use RoleManager.login
> (instead of setting the JNDI properties) on your application client - I
> have
> not tried it, so don't know wether this works. You may have noticed there
> is
> no logout method specified - I don't know how a Web Session does that
> internally (but it sure works)
>
> --peter
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Tim Endres
> Sent: Tuesday, June 12, 2001 10:51 AM
> To: Orion-Interest
> Subject: Re: Security bug with application clients?
>
> > I think maybe I didn't make something clear. I am using a java
> "application" client, NOT a web client. As such, I cannot invalidate
> sessions, make posts, etc.
> >
>
> I will repeat that we have seen that Orion's InitialContext and Principal
> identity
> features do not work. They do not work in servlets, they do not work in
> client apps.
> They do not work for JMS. They do not work, Sam I am. We have given up on
> using any
> container authentication short of "guest". This is only for "dynamic"
> identities.
> It appears that static identity via the 'jndi.properties' file works ok.
>
> > Orion seems to be written primarily as a web app server, and I have seen
> very little information on using it as a direct application server (in
> Orion
> literature or in the Oracle OC4J docs.) Since very few people are using
> Orion in this way, I guess I should expect to see a few bugs here and
> there.
> (I'm guessing that this is an application-client specific issue.)
> >
>
> We use Orion with standalone Java client applications. They work fine.
> Except for authentication, which does not work.
>
>
