[jboss-dev-forums] [Design of JBoss Remoting, Unified Invokers] - Re: http-invoker and authentication info

Wednesday, 23 May 2007

The problem as I discovered later was that during ejb invocations over http, the
SecurityContext did not possess the user credentials. The default JMXInvokerServlet does
not setup the security context in the marshalled invocatoin and hence the
securityinterceptor on the server side of the ejb cannot determine authentication info. I
solved it by setting up 2 things - firstly a filter that extracts username/password (set
during login) from the httpsession and performs a jaas login(this sets up the
SecurityAssociation for this thread). Secondly, instead of posting to the default
JMXInvokerServlet, i post to a custom servlet that in addition to doing what
JMXInovekrServlet does also gets the principal and credentials from the
SecurityAssociation and sets it to the marshalled invocation (marshalled invocation is
available from the http servlet request). Hope this helps.

View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4047972#...

Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[jboss-dev-forums] [Design of JBoss Remoting, Unified Invokers] - Re: http-invoker and authentication info