[jboss-dev-forums] [Design of JBoss Remoting, Unified Invokers] - Re: http-invoker and authentication info

[dsengupt]

The problem as I discovered later was that during ejb invocations over http, the SecurityContext did not possess the user credentials. The default JMXInvokerServlet does not setup the security context in the marshalled invocatoin and hence the securityinterceptor on the server side of the ejb cannot determine authentication info. I solved it by setting up 2 things - firstly a filter that extracts username/password (set during login) from the httpsession and performs a jaas login(this sets up the SecurityAssociation for this thread). Secondly, instead of posting to the default JMXInvokerServlet, i post to a custom servlet that in addition to doing what JMXInovekrServlet does also gets the principal and credentials from the SecurityAssociation and sets it to the marshalled invocation (marshalled invocation is available from the http servlet request). Hope this helps.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4047972#4047972

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4047972