tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Owens <>
Subject Re: Security Propagation
Date Fri, 05 Apr 2002 18:23:27 GMT
To answer your assumption, I do have custom security needs beyond 
standard container security (like permission-based functionality). I 
guess my main concern was associating the user's principal with the 
security identity in EJB calls. According to the servlet spec, SRV.12.7, 
a security identity/principal must always be provided for use in a call 
to an enterprise bean. It's not clear on how this is done...

I take it from my research so far that if I want to implement any of 
this stuff, it's going to be proprietary to a specific container.  I see 
that the AuthenticatorBase stores the principal in the session, but 
where does the security context get loaded? or does it? How does the 
container manage the EJB calls? I think I'm just mainly curious, since 
the specification is so vague. But I would like to make my app as 
portable as possible...

Am I trying to do something you're not supposed to do? I did see an 
example of what I need in the book "Special Edition Using EJB 2.0"... 
however, they simply mention that because they weren't using 
container-managed security on the web app side, you need to associate 
the principal with the thread's security context in order to propagate 
it through the EJB calls. No details.

If this is off topic or something, please let me know - I've never 
actually used mailing lists / forums before.

Thanks - Jason

On Friday, April 5, 2002, at 09:15  AM, Craig R. McClanahan wrote:
> I don't know the JBoss integration code, but I imagine the answer would 
> be
> "yes", since you're trying to manage the Principals that Tomcat uses to
> make security decisions.
>> Is there any way to cache the subject in the session, and
>> just somehow associate it with the thread's security context (sounds
>> like this would be easier) when processing? I haven't found any good
>> docs on writing a custom realm, has anyone written any?
> Best bet is to look at the existing examples, like JDBCRealm and
> JNDIRealm.
> However, to store stuff in the user session, you'll probably need to 
> write
> custom Authenticator subclasses as well.  Realms don't have access to
> anything about the current request or session.
>> Any help/pointers/solutions will be appreciated. Thanks
> I suppose there is some reason that standard container managed security 
> is
> not sufficient ...
>> -Jason
> Craig
> --
> To unsubscribe:   <>
> For additional commands: <>
> Troubles with the list: <>

To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

View raw message