[jboss-dev-forums] [Design of Security on JBoss] - Re: SecurityAssociation no loger valid in remote client
anil.saldhana@jboss.com
do-not-reply at jboss.com
Fri Apr 27 10:55:24 EDT 2007
A discussion with thomas has brought out an issue for me.
The background is that a security context can come over the wire for remote calls. Now whoever is constructing the invocation object on the server side has to be aware of this change (ie. they can set a SecurityContext on the session).
Given this, the containers (session,entity) have two choices:
a) Ensure that there is a security context on the invocation.
b) Accommodate any integration code (that may have created their own Invocation object and forgotten to set the security context) and create the security context on the inv. This can be bad because things like runas or any tokens that may be coming over the wire may be lost.
I prefer a) but may break clients.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4041434#4041434
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4041434
More information about the jboss-dev-forums
mailing list