tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: Security Propagation
Date Fri, 05 Apr 2002 19:43:41 GMT


On Fri, 5 Apr 2002, Jason Owens wrote:

> Date: Fri, 5 Apr 2002 10:23:27 -0800
> From: Jason Owens <shadow@portablehole.net>
> Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> Subject: Re: Security Propagation
>
> To answer your assumption, I do have custom security needs beyond
> standard container security (like permission-based functionality). I
> guess my main concern was associating the user's principal with the
> security identity in EJB calls. According to the servlet spec, SRV.12.7,
> a security identity/principal must always be provided for use in a call
> to an enterprise bean. It's not clear on how this is done...
>
> I take it from my research so far that if I want to implement any of
> this stuff, it's going to be proprietary to a specific container.  I see
> that the AuthenticatorBase stores the principal in the session, but
> where does the security context get loaded? or does it? How does the
> container manage the EJB calls? I think I'm just mainly curious, since
> the specification is so vague. But I would like to make my app as
> portable as possible...
>
> Am I trying to do something you're not supposed to do? I did see an
> example of what I need in the book "Special Edition Using EJB 2.0"...
> however, they simply mention that because they weren't using
> container-managed security on the web app side, you need to associate
> the principal with the thread's security context in order to propagate
> it through the EJB calls. No details.
>
> If this is off topic or something, please let me know - I've never
> actually used mailing lists / forums before.
>

I think your basic point ("it is going to be proprietary to a specific
container") is correct.  In particular, the "container" we're talking
about here is the *combination* of Tomcat and the EJB layer from JBoss.
Since I have no clue how this integration was done even for standard
container managed security, I'm afraid I cannot offer any advice on the
details.  Perhaps someone on the JBoss list (since they did the
integration) can help.

> Thanks - Jason

Craig


--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message