[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules

kearns do-not-reply at jboss.com
Tue Jul 18 09:30:35 EDT 2006 

Thanks for your patience as I know this may seem to some as straight forward. 

I have already succeeded in a previous project to use BASIC web authentication attached to a domain using the JBoss UsersRolesLoginModule. Only Customer and Admin roles can access specific web pages and then calls to remote EJBs are also restricted based on role.

Web.xml:
  |  
  |     <security-role>
  |       <role-name>admin</role-name>
  |     </security-role>
  |     <security-role>
  |       <role-name>customer</role-name>
  |     </security-role>
  | 
  |    <login-config>
  |         <auth-method>BASIC</auth-method>
  |         <realm-name>BankDomain</realm-name>
  |     </login-config>
  | 
  | 
  | 


JBoss-web.xml:
  | <?xml version="1.0" encoding="UTF-8"?>
  | <jboss-web>
  |   <security-domain flushOnSessionInvalidation="false">java:/jaas/BankDomain</security-domain>
  |   <context-root>/bank</context-root>
  | </jboss-web>

JBoss.xml:
  | <jboss>
  |     <security-domain>java:/jaas/BankDomain</security-domain>
  | </jboss>


The target bean is the same remote stateless session bean, BankMgr, which uses the Caller Principle in the way you mentioned:

   public CustomerData getMyData() throws bank.BankException {
  |         Principal p = context.getCallerPrincipal();
  |         String userN = p.getName();
  |         if (userN.equalsIgnoreCase("ANONYMOUS") || userN.equalsIgnoreCase("GUEST")) {
  |             throw new BankException("BankMgrBean: getMyData - User not logged in");
  |         }
  |         int pUserId = Integer.parseInt(userN);

However, what I wanted to show in this Proof of Concept (PoC) project was that client authentication could be executed independently from server side resource control e.g. bean method execution. Such a scenario would occur if authentication of the client is not under your control however authorisation to use server side (remote) resources are. Thus, I can not use the same security realm for both the client and server resources.

Thanks again for your help.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958791#3958791

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958791

More information about the jboss-user mailing list