Re: [JBoss-user] How to use a principal from a webapp for securing ejb calls
Then you have to behave as any other client accessing a secured ejb, and do a JAAS login. There will be no principal in general on an unsecured page though. Scott StarkChief Technology OfficerJBoss Group, LLC - Original Message - From: Nicholas To: [EMAIL PROTECTED] Sent: Friday, January 10, 2003 3:48 PM Subject: Re: [JBoss-user] How to use a principal from a webapp for securing ejb calls I may be going out on a limb here, but I think Sven's question may be along the same lines of what I have been wondering about, which is: If you do not lock down the servlets (i.e. no security) but you want to collect username and credential information in the web layer, how do you create and propagate the security context to the EJB layer from there ? //Nicholas Scott M Stark <[EMAIL PROTECTED]> wrote: You use the bundled Tomcat or Jetty containers and use the same security-domainvalue in the ejbs as the web app and do nothing else.Scott StarkChief Technology OfficerJBoss Group, LLC- Original Message - From: "Scheil, Sven" <[EMAIL PROTECTED]>To: <[EMAIL PROTECTED]>Sent: Friday, January 10, 2003 5:41 AMSubject: [JBoss-user] How to use a principal from a webapp for securing ejb calls> We have developed a multitier app (cmdline clients, webclients, ejb business> layer and db layer). Running all on a jboss 3.0.3; the webclients are> developed using struts 1.1; the complete application can be put in one ear> file.> > The access to the webbclients is controlled by a form-based authentication> with a security-domai n configured via login-config.xml:> > > > > ="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">> > ="dsJndiName">java:/CloudscapeDS > select> PASSWORD from PERSON p where p.USERNAME=? and p.LOCKED=false> select> r.ROLE,'Roles' from PERSON_ROLE_ROLE_PERSON_ROLE r, PERSON p where> p.USERNAME=? AND p.PERSONNO=r.PERSON> > > > > This works all very well.> > Now we would like to use declarative Security for our EJBs (with the same> realm). But we don't know how to use the principal (we have in each request> of my webclients) to authenticate agains t the ejb container.> > Do we have to build our own Hashtable h with > > ...> h.put(javax.naming.CONTEXT.SECURITY_PRINCIPAL , request.getUserPrincipal());> ...> > ctx = new InitialContext(h)> > and saving this ctx in a session attribute of my webclient to use for> further lookups?> > If this is the way, we become trouble with our implementation of the> ServiceLocator pattern. Our ServiceLocator class is a Singelton and results> the home interfaces of our EJBs. The InitialContext is stored once in an> instance variable.> > Could anyone give us a short description of the right way or send us an url> of an example app?> > Thank you> Sven---This SF.NET email is sponsored by:SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!http://w ww.vasoftware.com___JBoss-user mailing list[EMAIL PROTECTED]https://lists.sourceforge.net/lists/listinfo/jboss-userNicholas WhiteheadHome: (973) 377 9335Cell: (201) 615 2716Work: (212) 622 5639[EMAIL PROTECTED]
Re: [JBoss-user] How to use a principal from a webapp for securing ejb calls
I may be going out on a limb here, but I think Sven's question may be along the same lines of what I have been wondering about, which is: If you do not lock down the servlets (i.e. no security) but you want to collect username and credential information in the web layer, how do you create and propagate the security context to the EJB layer from there ? //Nicholas Scott M Stark <[EMAIL PROTECTED]> wrote: You use the bundled Tomcat or Jetty containers and use the same security-domainvalue in the ejbs as the web app and do nothing else.Scott StarkChief Technology OfficerJBoss Group, LLC- Original Message - From: "Scheil, Sven" <[EMAIL PROTECTED]>To: <[EMAIL PROTECTED]>Sent: Friday, January 10, 2003 5:41 AMSubject: [JBoss-user] How to use a principal from a webapp for securing ejb calls> We have developed a multitier app (cmdline clients, webclients, ejb business> layer and db layer). Running all on a jboss 3.0.3; the webclients are> developed using struts 1.1; the complete application can be put in one ear> file.> > The access to the webbclients is controlled by a form-based authentication> with a security-domain configured via login-config.xml:> > > > > ="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">> > ="dsJndiName">java:/CloudscapeDS > select> PASSWORD from PERSON p where p.USERNAME=? and p.LOCKED=false> select> r.ROLE,'Roles' from PERSON_ROLE_ROLE_PERSON_ROLE r, PERSON p where> p.USERNAME=? AND p.PERSONNO=r.PERSON> > > > > This works all very well.> > Now we would like to use declarative Security for our EJBs (with the same> realm). But we don't know how to use the principal (we have in each request> of my webclients) to authenticate against the ejb container.> > Do we have to build our own Hashtable h with > > ...> h.put(javax.naming.CONTEXT.SECURITY_PRINCIPAL , request.getUserPrincipal());> ...> > ctx = new InitialContext(h)> > and saving this ctx in a session attribute of my webclient to use for> further lookups?> > If this is the way, we become trouble with our implementation of the> ServiceLocator pattern. Our ServiceLocator class is a Singelton and results> the home interfaces of our EJBs. The InitialContext is stored once in an> instance variable.> > Could anyone give us a short description of the right way or send us an url> of an example app?> > Thank you> Sven---This SF.NET email is sponsored by:SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!http://www.vasoftware.com___JBoss-user mailing list[EMAIL PROTECTED]https://lists.sourceforge.net/lists/listinfo/jboss-userNicholas WhiteheadHome: (973) 377 9335Cell: (201) 615 2716Work: (212) 622 5639[EMAIL PROTECTED]
Re: [JBoss-user] How to use a principal from a webapp for securing ejb calls
You use the bundled Tomcat or Jetty containers and use the same security-domain value in the ejbs as the web app and do nothing else. Scott Stark Chief Technology Officer JBoss Group, LLC - Original Message - From: "Scheil, Sven" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, January 10, 2003 5:41 AM Subject: [JBoss-user] How to use a principal from a webapp for securing ejb calls > We have developed a multitier app (cmdline clients, webclients, ejb business > layer and db layer). Running all on a jboss 3.0.3; the webclients are > developed using struts 1.1; the complete application can be put in one ear > file. > > The access to the webbclients is controlled by a form-based authentication > with a security-domain configured via login-config.xml: > > > > ="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> > ="dsJndiName">java:/CloudscapeDS > select > PASSWORD from PERSON p where p.USERNAME=? and p.LOCKED=false > select > r.ROLE,'Roles' from PERSON_ROLE_ROLE_PERSON_ROLE r, PERSON p where > p.USERNAME=? AND p.PERSONNO=r.PERSON > > > > > This works all very well. > > Now we would like to use declarative Security for our EJBs (with the same > realm). But we don't know how to use the principal (we have in each request > of my webclients) to authenticate against the ejb container. > > Do we have to build our own Hashtable h with > > ... > h.put(javax.naming.CONTEXT.SECURITY_PRINCIPAL , request.getUserPrincipal()); > ... > > ctx = new InitialContext(h) > > and saving this ctx in a session attribute of my webclient to use for > further lookups? > > If this is the way, we become trouble with our implementation of the > ServiceLocator pattern. Our ServiceLocator class is a Singelton and results > the home interfaces of our EJBs. The InitialContext is stored once in an > instance variable. > > Could anyone give us a short description of the right way or send us an url > of an example app? > > Thank you > Sven --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
