[jboss-dev-forums] [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Jason Greene
do-not-reply at jboss.com
Mon Mar 19 10:39:09 EDT 2012
Jason Greene [https://community.jboss.org/people/jason.greene] created the discussion
"Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/724714#724714
--------------------------------------------------------------
In remoting authentication is PER connection. Inside of a connection you have have multiple channels which are intended for multiple services (e.g. ejb, jmx, etc). All are intended to share the same credentials so that auth is only done once on initial connect. If you need to dynamically handle different users, then the best way is to manage all of the connections yourself (this will also address the close problem you mention in the other thread). So basically all you do is setup your connections lazily and per user, and then associate them to the ejb client context before a proxy is invoked (e.g. using ThreadLocalContextSelector like you are already doing). If you prefer you could also write your own context selector that uses the username as an entry in a global index.
Something like this could be done for a connection per-thread model (although ideally you don't want duplicate connections for the same user):
Global Shared Stuff for the entire VM
// Gloabl Shared Stuff
// create the endpoint
final Endpoint endpoint = Remoting.createEndpoint("my-client", OptionMap.create(Options.THREAD_DAEMON, true));
// Have the provider use non-ssl connections
endpoint.addConnectionProvider("remote", new RemoteConnectionProviderFactory(), OptionMap.create(Options.SSL_ENABLED, false));
// Setup a global thread-local selector, which willl allow you to have a different connection per-thread
this.selector = new ThreadLocalContextSelector<EJBClientContext>(new ThreadLocal<EJBClientContext>());
EJBClientContext.setSelector(this.selector);
Per-connection setup
// Where to connect
final URI connectionURI = new URI("remote://localhost:4447");
// Disable local auth, and allow plain text passwords over the wire (clear text is needed for JAAS / security domains)
OptionMap.Builder builder = OptionMap.builder().set(Options.SASL_POLICY_NOANONYMOUS, true);
builder.set(Options.SASL_POLICY_NOPLAINTEXT, false);
builder.set(Options.SASL_DISALLOWED_MECHANISMS, Sequence.of("JBOSS-LOCAL-USER"));
// Create the connection
final IoFuture<Connection> futureConnection = endpoint.connect(connectionURI, builder.getMap(), new AuthenticationCallbackHandler(username, password));
// wait for the connection to be established
final Connection connection = IoFutureHelper.get(futureConnection, 5000, TimeUnit.MILLISECONDS);
// create a remoting EJB receiver for this connection
final EJBReceiver receiver = new RemotingConnectionEJBReceiver(connection);
// associate it with a new client context
EJBClientContext context = EJBClientContext.create();
context.registerEJBReceiver(receiver);
// Set this thread to use this context
this.selector.setCurrent(context);
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/724714#724714]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2225]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20120319/cdf386e8/attachment.html
More information about the jboss-dev-forums
mailing list