[jboss-user] [Security & JAAS/JBoss] - Exclude EJB from secuirty checks

lales do-not-reply at jboss.com
Wed May 13 13:34:42 EDT 2009


I'm sure this has come up before but i can't seem to find any decent info on how to do it.

Basically we use FORM authentication on our web app. All app pages require the user to be authenticated (except for the login page).

However i now need to execute a method in an EJB without being authenticated (use case is for users that have forgotten their pass to be able to reset it from outside the app)

What is the best way to do this? How do i exclude a method of an EJB (or even the entire EJB if needed) from the security checks?

@PermitAll still requires an authenticated caller. 
I know i need to use the "unauthenticatedIdentity" option but i'm not sure how to use this to for only one EJB (ideally for a single method) while keeping the security of the rest intact.

any help appreciated

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4230915#4230915

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4230915



More information about the jboss-user mailing list