All, My apologies in advance if this has already been answered... I have looked at past posts but haven't seen anything definitive.
I have two questions. The first is about ClientLoginModule and the underlying security classes. It seems these classes are hard-coded to use NameCallback and PasswordCallback to extract the username/password. These are somehow sent to JBoss, which reconstructs a UsernamePasswordHandler object which it passes to the login modules. It seems to me that this is a serious limitation. A username string and password string are not enough for some applications (like mine). My life would be much easier if I were able to define my own callback handler class, implement Serializable, and have ClientLoginModule send it over to the server without modification. Is anything like this possible in the 4.0 development branch? If not, are there any plans for this kind of thing in the future? Am I missing some fundamental alternate way of doing this? My second question probably stems from a lack of knowledge of the J2EE declarative security model, so please forgive my ignorance! I have a User CMP entity bean which only exposes local interfaces. I then have an Authenticator session facade bean. The Authenticator uses run-as to gain enough privileges to access the appropriate methods of the User bean and do its magic. I'd like my JAAS login module to be able to instantiate an Authenticator bean and delegate authentication to it. The problem is that even when I specify unchecked permissions for the Authenticator methods in ejb-jar.xml, JBoss still seems to want an authenticated principal. It doesn't care what roles that principal have, but it needs to be authenticated with my login module, which is impossible because it's my login module that needs to access the bean! The only way I could find to allow unauthenticated access to the bean is by removing the assembly-descriptor section altogether, along with the security-domain element in jboss.xml. But of course if I do that I lose declarative security on all the other beans. Is there a way to do what I'm describing, without creating a separate deployment descriptor and archive just for the Authenticator bean? Thanks in advance. I've been pleased with JBoss and J2EE and if I can get these snags resolved, I'll truly be a believer. Happy Independence Day to the other Americans out there! View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3840868#3840868 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3840868 ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user