Hi Thomas, Thanks a lot! I will have a look at it.
I have ended by creating my own jaas realms that are deployed as login modules (Glassfish and JBoss), These realms are very app specific (The underlying users - passwords - roles - permissions system comes from an Ivy Server (IvyTeam company)). The ejb services are first protected through these realms. Then after comes SHIRO in the game: - a shiroInterceptor intercepts the calls and gets the callerPrincipal from the ejbContext (from the jaas realms). We get the roles and permissions with the callerPrincipal also there and it calls the securityManager.login(...) method - a shiro realm is used for shiro authentication and authorization It is not the most straight forward solution of the world, but it works.... Work still in progress ;) Somedays I will try to post a simplified solution somewhere to show how it works. Cheers Emmanuel -- View this message in context: http://shiro-user.582556.n2.nabble.com/Securing-EJB-Web-Services-with-HTTP-Basic-Auth-tp7579962p7579968.html Sent from the Shiro User mailing list archive at Nabble.com.
