[jboss-user] [Security & JAAS/JBoss] - ClientLoginModule & ServerInvokerServlet
do-not-reply at jboss.com
Thu Oct 23 11:18:00 EDT 2008
I have a set-up where an external Client (swing based) is using the ClientLoginModule to pass it's user credentials to an EJB3 Stateless service for execution. The service is annotated (@SecurityDomain) and the method calls are annotated with @RolesAllowed. The security Domain is configured in the JBoss 4.2.2 login-config.xml.
All is working fine when using a socket connection (clientBindUrl = "socket://0.0.0.0:3873") , However, the client also needs to be able to communicate over HTTP (clientBindUrl = "http://localhost:8080/invoker/ServerInvokerServlet"). When using the HTTP jndi bound service the Principal/Subject are null on the receiving the HTTP call within the RoleBasedAuthorizationInterceptor.
I've configured the jboss-web.xml within the invoker.war\WEB-INF, but I believe this will only work with BASIC or FORM auth. I already have authentication (albiet, dummy) on the Fat Client (swing) using the ClientLoginModule - how do I config the ServerInvokerServlet to use these credentials as with the socket connection (RMI).
I've seen plenty of examples of how to secure WebApps + examples of how to use the ClientLoginModule. But can't find any good documentation on how to use the ClientLoginModule when calling EJB3 over HTTP (or HTTPS).
Any help/pointers would be much appreciated.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4184254#4184254
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4184254
More information about the jboss-user