[jboss-dev-forums] [JBoss AS 7 Development] - JBoss 7 and Ejb remote call with security

[andrei povodyrev]

andrei povodyrev [https://community.jboss.org/people/apovodyrev] commented on the document

"JBoss 7 and Ejb remote call with security"

To view all comments on this document, visit: https://community.jboss.org/docs/DOC-17581#comment-9369

--------------------------------------------------
Seems like all remote calls have to be authenticated by remoting-connector.
Application login module must have <module-option name="password-stacking" value="useFirstPass"/> to piggy back on cached Principal/Credentials

 If security realm (ApplicationRealm by default) is removed from remoting-connector, there is no way to authenticate ejb remote call. 

Tried multiple approaches
1)
jndiProperties.put(InitialContext.SECURITY_PRINCIPAL, "user");
 jndiProperties.put(InitialContext.SECURITY_CREDENTIALS, "pass");
2)
org.jboss.security.client.SecurityClient
3)
org.jboss.security.auth.callback.AppCallbackHandler

User credential set by above means do not get to java ee security context and random UUID values are used on server, or $local if  
setting  SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER  not used

Seems like a mess. If you have multiple apps on the same server with own security, maintaining acces to then with remote client is going to be nightmare.
--------------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20120315/e7f8e9d5/attachment.html