[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules
do-not-reply at jboss.com
Tue Jul 18 08:24:58 EDT 2006
You need a better understanding of authentication/authorization. There is just too much stuff that is wrong here. See the resource I mentioned below. As well as the wikis at wiki.jboss.org/wiki/Wiki.jsp?page=JBossSX
However in an effort to point you in the right direction...
1.) you need to set up and configure container managed security for your web application (per j2ee spec.) I suggest using FORM based authentication. I suggest you combine the actions of both your com.jaas.RdbmsLoginModule and your bank.jaas.CustomServerLoginModule into one login module that is configured for the security domain covering the web app.
2.) Then you need to set up and configure container managed security for your EJB's (I think you have alread done this). In this case, make the security domain the same as that in step 1.
The result will be that your user authenticates via the new CustomServerLoginModule for both the web application as well as the EJB components. Once authenticated you can just call the bean. Note that you do not need to perform any LoginContext.login()s in your application.
Also, your custom login module should store the customer id and NHS# (so long as these are not restricted data) as custom Principals under the Subject. If the customerID is what you use internally to identify the user (rather than the "user" parameter entered in login form) Then follow JBoss' subject usage pattern and make this principal the "Caller Principal". Finally, you can get the customer id to use in method bankMgrDelegate.getCustomerData(custId).toString() by using EJBContext.getCallerPrincipal() method.
There is just too much to say, hope this provides some direction. cgriffith
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958768#3958768
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958768
More information about the jboss-user