geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kory Markevich <>
Subject Re: EJB Authentication Problem
Date Mon, 24 Sep 2007 22:48:26 GMT
David Jencks <david_jencks@...> writes:

> I think this is what you need to do.  With openejb standalone the  
> login-by-getting-jndi might work better.  We could fix it in geronimo  
> by having you supply a realm name 

I guess what I need to know is whether I'm missing something, because from what
I can tell both login via JNDI and via JAAS (using
org.apache.openejb.client.ClientLoginModule) from a stand-alone client cannot
work in 2.0.1 because they both send null as the realm name, which Geronimo
rejects.  Both of these methods have changed in the latest OpenEJB to allow the
realm name to be passed; any idea when those features or equivalent will end up
in Geronimo?

A workaround is to call ClientSecurity.directAuthorization myself and store the
returned identity.  This *seems* to work fine, I just had hoped to be able to do
something a bit more standard.

> If you have a better idea I'm all ears.  The problem I see with  
> configuring the realm name in the server is that you are getting a  
> global jndi tree containing all ejbs.  I think we need to support  
> each ejb app being deployed to a different security realm, but all of  
> them accessing the ejbs through the same global jndi tree and network  
> port.  I haven't figured out how to resolve these conflicting needs  
> without having the client supply the realm name it intends to use to  
> log in.

I don't really have an issue with the realm name being supplied by the client
(and your use cases make sense,) it just surprised me that the server didn't
have default behaviour for the case when the realm wasn't passed.  I had assumed
that something like this would be covered by the spec, but I'm inexperienced
with EE security.

> I think this is a bug.  For web apps we won't deploy them if they  
> have security in the spec dd but no geronimo security configured.   
> Want to open a jira?

It's not an issue for me, so that would be up to you guys.

> Sorry I know nothing about eclipse.

No problem, I just wanted to let someone know about them.

Thanks for the help!


Kory Markevich
Tech Lead
ACL Services Ltd.

1550 Alberni Street | Vancouver | BC | V6G 1A5
Tel: 604 669 4225
Email: kory_markevich@...  | Web:


The contents of this email are confidential and are for the intended
recipient(s) named above only. If you are not the intended recipient,
any copying, distribution or use of this email is prohibited. If you
have received this email in error, please notify the sender and delete
the email.

View raw message