[jbossws-dev] [Design of JBoss Web Services] - Re: UsernameToken authentication and authorization for POJO
darran.lofthouse@jboss.com
do-not-reply at jboss.com
Mon Apr 28 04:59:06 EDT 2008
"alessio.soldano at jboss.com" wrote :
| I think it would be better to leave the configuration of the allowed roles to the login module configuration. May be I'm missing something, but I think we could simply let the user configure the security domain as usual and then the login module(s) configured for that security domain will have the roles configuration.
|
The reason that we need the additional role check is because the login modules do not actually verify the roles that the user is a member of, the login modules just load the list of roles. The list of roles is then checked against the required roles in the servlet container or in the EJB container.
"anil.saldhana at jboss.com" wrote :
| Why not just design a generic solution around invoking the JBoss Security Managers by doing a JNDI lookup (works both in web and ejb2 containers)
|
If the code you show is the better way to do it then there is no problem doing it that way as well, however we do not have a need for the actual code to be portable across the containers as the WS-Security handlers are always called within a web application. Even if you deploy an EJB endpoint a web application is automatically deployed to handle the actual WS requests.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4147136#4147136
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4147136
More information about the jbossws-dev
mailing list