[jboss-user] [Security & JAAS/JBoss] - Mixing Axis (BASIC) and web browser (form-based) authenticat

Mon Sep 11 12:01:49 EDT 2006

I'm pretty new to Java/JBOSS (I'm a C developer by trade), so forgive me if some of what I say seems nonsensical.

Background:
I've got an application running under JBOSS 4.0 that requires both browser based and remote Java client based logins.  I've got the browser based interfaced working using forms-based authentication.  When I log out, the logout is complete and any attempts to access another page takes me back to the login page.  That's exactly what I want.  If I switch this to BASIC authentication then the browser can cache the session info and get back in after the logout invalidates it without forcing the user to login again.  That's not acceptable, so the form-based authentication appears to be what I want for the browser based interface into the application.

I also have a standalone client built using Axis that needs to log into the same server.  It originally was written to work with BASIC authentication.  Switching to form-based authentication broke it.  I've read what feels like a bazillion web pages (including the security FAQ here and the JBOSS 4.0 manual) and it appears AXIS only supports BASIC authentication and one other certificate-based type that (according to the JBOSS manual) nobody really uses. So if I want to build a standalong application using an RPC-over-SOAP interface I'll need to use BASIC authentication.

Questions:
As far I can tell I can't mix the two types of authentication for a single JBOSS application, can I?  If I put two login-config sections in the web.xml then the JBOSS server prints error messages that I can't yet decipher.

I inherited the project and the use of Axis (or at least some kind of RPC mechanism) is desirable by the project team.  Is there some other way to do RPC from the standalone Java client to the application running in JBOSS?

I considered dropping the RPC requirement and integrating our client with JDIC in order to do desktop related things and still access the server via a browser interface.  How feasible does this sound?  I need the client to be able to pass files back and forth to the JBOSS application, potentially very large files.  Of course, I wasn't able to build JDIC on FC5, but that's a problem I can eventually resolve, if it's worth my time investigating further.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3970793#3970793

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3970793