andrei povodyrev [
https://community.jboss.org/people/apovodyrev] commented on the
document
"JBoss 7 and Ejb remote call with security"
To view all comments on this document, visit:
https://community.jboss.org/docs/DOC-17581#comment-9369
--------------------------------------------------
Seems like all remote calls have to be authenticated by remoting-connector.
Application login module must have <module-option name="password-stacking"
value="useFirstPass"/> to piggy back on cached Principal/Credentials
If security realm (ApplicationRealm by default) is removed from remoting-connector, there
is no way to authenticate ejb remote call.
Tried multiple approaches
1)
jndiProperties.put(InitialContext.SECURITY_PRINCIPAL, "user");
jndiProperties.put(InitialContext.SECURITY_CREDENTIALS, "pass");
2)
org.jboss.security.client.SecurityClient
3)
org.jboss.security.auth.callback.AppCallbackHandler
User credential set by above means do not get to java ee security context and random UUID
values are used on server, or $local if
setting SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER not used
Seems like a mess. If you have multiple apps on the same server with own security,
maintaining acces to then with remote client is going to be nightmare.
--------------------------------------------------