[jboss-user] [Security & JAAS/JBoss] - ClientLoginModule & ServerInvokerServlet

LB24 do-not-reply at jboss.com
Thu Oct 23 11:18:00 EDT 2008

I have a set-up where an external Client (swing based) is using the ClientLoginModule to pass it's user credentials to an EJB3 Stateless service for execution.  The service is annotated (@SecurityDomain) and the method calls are annotated with @RolesAllowed.  The security Domain is configured in the JBoss 4.2.2 login-config.xml.  

All is working fine when using a socket connection (clientBindUrl = "socket://") , However, the client also needs to be able to communicate over HTTP (clientBindUrl = "http://localhost:8080/invoker/ServerInvokerServlet").  When using the HTTP jndi bound service the Principal/Subject are null on the receiving the HTTP call within the RoleBasedAuthorizationInterceptor.

I've configured the jboss-web.xml within the invoker.war\WEB-INF, but I believe this will only work with BASIC or FORM auth.  I already have authentication (albiet, dummy) on the Fat Client (swing) using the ClientLoginModule - how do I config the ServerInvokerServlet to use these credentials as with the  socket connection (RMI).    

I've seen plenty of examples of how to secure WebApps + examples of how to use the ClientLoginModule. But can't find any good documentation on how to use the ClientLoginModule when calling EJB3 over HTTP (or HTTPS). 

Any help/pointers would be much appreciated.


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4184254#4184254

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4184254

More information about the jboss-user mailing list