Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@geronimo.apache.org
Received-SPF: pass (herse.apache.org: domain of david.blevins@visi.com
 designates 208.42.176.213 as permitted sender)
Mime-Version: 1.0 (Apple Message framework v752.3)
In-Reply-To: <10E7A250-A712-4862-995E-30982843C542@yahoo.com>
References: <39ABCD23-0849-490E-A696-AA58CAADA22A@yahoo.com>
 <4E890806-D1AB-44D9-956F-6298DEB0178A@visi.com>
 <10E7A250-A712-4862-995E-30982843C542@yahoo.com>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <FA75F5F9-1744-42C5-AF65-40AA329F4A94@visi.com>
Content-Transfer-Encoding: 7bit
From: David Blevins <david.blevins@visi.com>
Subject: Re: What to do about remote login in geronimo 2.0/openejb 3.0?
Date: Fri, 6 Jul 2007 09:59:32 -0700
To: dev@geronimo.apache.org


On Jul 5, 2007, at 5:44 PM, David Jencks wrote:

>
> On Jul 5, 2007, at 12:03 PM, David Blevins wrote:
>
>> How were we doing web services security before?  Did it work for  
>> EJBs too? (maybe that was the issue).
>
> Web services security works and worked fine.  AFAICT it's using  
> BASIC web authentication.  Anyway we tell the web services client a  
> user and password and it gets sent with the message and logged in  
> and everything works.  The user/pw comes out of a private  
> credential in the Subject.  In order for this to get into the  
> Subject we need a login module running locally on the client to put  
> it there.  All this is working fine and has worked fine for a long  
> time.
>
> The problem is that in order to call an ejb we (currently) need  
> remote login modules on the client that are actually running on the  
> server and get the identification principal back to the client  
> subject.  We seem to be able to configure logins that use either  
> only remote modules or only local modules but I haven't been able  
> to figure out how to configure something that uses both a local  
> login module for the web services AND in the same login  
> configuration a remote module for openejb.

Hmm.  I can definitely see similarities and what you're feeling  
around for.  The paradigm is essentially the same on the client-side;  
pull user/pw from userland, then put it in a known code location  
(subject, static) where it will be fished out on request.  The server- 
side is also the same being a plain user/pw login.  Could be possible  
not just to use the same login configuration but the same login module.

> I also find the code and configuration around remote login modules  
> to be incredibly hard to understand and confusing so I'd rather  
> come up with something that appears to involve a little less magic.

Amen.

>>
>> I really lost you when you stated an issue with web services  
>> security then jumped to solving the problem in the protocol that  
>> doesn't use web services.  I can't figure out how these things  
>> connect.
>
> Just possibly the above will help :-)
>
> Anyway after perusing the jaspi spec some more I don't want to  
> promise to implement it by geronimo 2.0 so I'm now trying option  
> (0) and hope to have a proposed patch friday.  [...] I think this  
> special purpose solution will be a lot simpler and easier to  
> understand than the geronimo code and will work fine while we think  
> about jaspi.

Sounds like a plan.

-David