[jboss-jira] [JBoss JIRA] (WFLY-959) Allow more flexibility in the way EJB authentication is handled with regards to remoting and security-realms

Darran Lofthouse (JIRA) jira-events at lists.jboss.org
Mon Nov 11 11:03:06 EST 2013 

    [ https://issues.jboss.org/browse/WFLY-959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12922431#comment-12922431 ] 

Darran Lofthouse commented on WFLY-959:
---------------------------------------

Re-reading your comment - the answer is No.

The authentication occurs on the establishment of the connection to the server, at that point we do not know what is going to be invoked and that connection can be used to invoke many different services including many different EJB deployments so there is not at this point an underlying subsystem that we can delegate to.
                
> Allow more flexibility in the way EJB authentication is handled with regards to remoting and security-realms
> ------------------------------------------------------------------------------------------------------------
>
>                 Key: WFLY-959
>                 URL: https://issues.jboss.org/browse/WFLY-959
>             Project: WildFly
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: EJB
>            Reporter: Derek Horton
>            Assignee: David Lloyd
>
> My confusion is around the remoting/security-realm setup in the use case
> where multiple EJBs are deployed that use different security-domains and
> the EJBs will be invoked by remote standalone clients.  For example,
> ejbX needs to be in the sec-domain-X security-domain, while ejbY needs to
> be in the sec-domain-Y security-domain.
> In this situation, the authentication checks are going to be handled by
> the security-realm that is associated with the remote connector that is
> configured to be used by the EJB subsystem.
> It looks like the security-realm can either handle the authentication
> checks directly (properties file, ldap, etc) or it can defer to the
> jaas security-domain.  In both of those situations, it seems that the
> EJBs are limited to a single authentication point.  The EJB
> authentication is either going to be handled by a single security-realm
> or the security-realm will defer to a single security-domain.
> I could configure the security-domain to have multiple login modules.  I
> assume the same thing could be done with the security-realm.
> Basically the problem that I am trying to solve boils down to this:  the
> authentication checks for remote EJBs appear to be checked by either a
> single security-realm or a single security-domain.  Is there a way to
> change this?
> One idea I had was to add another remote connector to the EJB subsystem.
> Unfortunately, this does not appear to be possible.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list