On 11/26/2010 04:41 PM, Remy Maucherat wrote:
On Thu, 2010-11-25 at 14:44 -0500, asaldhan(a)redhat.com wrote:
> Those were needed for outgoing calls from the web layer into WS and EJB3 etc.
>
> But we will try to make it lightweight going forward.
The amount of stuff going on proactively due to security is quite
amazing at the moment in AS 6, so I think "try to" should be dropped
from your statement :)
I found out that WS actually has got the most ingenious security
integration of all.
See WebServiceContextJSE and WebServiceContextEJB. Basically they don't
integrate but call out via some dirty SPI construct.
While in actuality you only need two calls (supposing we do it similar
to TransactionManager):
Principal securityManager.getSecurityContext().getCallerPrincipal();
boolean securityManager.isCallerInRole(String role);
We need to get rid of the large pieces of code that are currently in
Servlet and EJB to make it happen.
Carlo