[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules

j2ee_junkie do-not-reply at jboss.com
Tue Jul 18 08:24:58 EDT 2006 

kearns,

You need a better understanding of authentication/authorization.  There is just too much stuff that is wrong here.  See the resource I mentioned below.  As well as the wikis at wiki.jboss.org/wiki/Wiki.jsp?page=JBossSX
and
wiki.jboss.org/wiki/Wiki.jsp?page=Tomcat.

However in an effort to point you in the right direction...

1.) you need to set up and configure container managed security for your web application (per j2ee spec.)  I suggest using FORM based authentication.  I suggest you combine the actions of both your com.jaas.RdbmsLoginModule and your bank.jaas.CustomServerLoginModule into one login module that is configured for the security domain covering the web app.

2.) Then you need to set up and configure container managed security for your EJB's (I think you have alread done this).  In this case, make the security domain the same as that in step 1.

The result will be that your user authenticates via the new CustomServerLoginModule for both the web application as well as the EJB components.  Once authenticated you can just call the bean.  Note that you do not need to perform any LoginContext.login()s in your application.

Also, your custom login module should store the customer id and NHS# (so long as these are not restricted data) as custom Principals under the Subject.  If the customerID is what you use internally to identify the user (rather than the "user" parameter entered in login form) Then follow JBoss' subject usage pattern and make this principal the "Caller Principal".  Finally, you can get the customer id to use in method bankMgrDelegate.getCustomerData(custId).toString() by using EJBContext.getCallerPrincipal() method.

There is just too much to say, hope this provides some direction.  cgriffith

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958768#3958768

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958768

More information about the jboss-user mailing list