[jboss-jira] [JBoss JIRA] (WFLY-959) Allow more flexibility in the way EJB authentication is handled with regards to remoting and security-realms

Darran Lofthouse (JIRA) jira-events at lists.jboss.org
Mon Nov 11 06:52:06 EST 2013 

    [ https://issues.jboss.org/browse/WFLY-959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12922288#comment-12922288 ] 

Darran Lofthouse commented on WFLY-959:
---------------------------------------

Until a complete solution is available the quick starts already contain an example showing how interceptors can be used to change the identity used for EJB calls instead of mandating the identity of the connection.
                
> Allow more flexibility in the way EJB authentication is handled with regards to remoting and security-realms
> ------------------------------------------------------------------------------------------------------------
>
>                 Key: WFLY-959
>                 URL: https://issues.jboss.org/browse/WFLY-959
>             Project: WildFly
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: EJB
>            Reporter: Derek Horton
>            Assignee: David Lloyd
>
> My confusion is around the remoting/security-realm setup in the use case
> where multiple EJBs are deployed that use different security-domains and
> the EJBs will be invoked by remote standalone clients.  For example,
> ejbX needs to be in the sec-domain-X security-domain, while ejbY needs to
> be in the sec-domain-Y security-domain.
> In this situation, the authentication checks are going to be handled by
> the security-realm that is associated with the remote connector that is
> configured to be used by the EJB subsystem.
> It looks like the security-realm can either handle the authentication
> checks directly (properties file, ldap, etc) or it can defer to the
> jaas security-domain.  In both of those situations, it seems that the
> EJBs are limited to a single authentication point.  The EJB
> authentication is either going to be handled by a single security-realm
> or the security-realm will defer to a single security-domain.
> I could configure the security-domain to have multiple login modules.  I
> assume the same thing could be done with the security-realm.
> Basically the problem that I am trying to solve boils down to this:  the
> authentication checks for remote EJBs appear to be checked by either a
> single security-realm or a single security-domain.  Is there a way to
> change this?
> One idea I had was to add another remote connector to the EJB subsystem.
> Unfortunately, this does not appear to be possible.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list