5 Replies Latest reply on Feb 18, 2002 8:03 PM by ipozeng

How do the JSP pass the principal to the session bean?

ipozeng Feb 4, 2002 12:47 AM

Hi,friends
My web container(tomcat) and ejb container(jboss 2.4.4) run on different VM.Now i have set the role in DD.
What i want to know is how the tomcat passes the caller info to jboss?

Best Regards!

1. Re: How do the JSP pass the principal to the session bean?

adrian.brock Feb 4, 2002 8:40 AM (in response to ipozeng)

It is passed in a MarshalledObject called
RemoteMethodInvocation. You might consider using
ssl for this connection if snooping is an issue.

The proxy running on the tomcat VM retrieves the
principal/credential from the SecurityAssociation
attached to the current thread and adds it to the
RemoteMethodInvocation.

The interceptor stack on the JBoss VM uses the information
as required, e.g. the security interceptor checks and
sets up the SecurityAssociation for the ejb container
using information in the method invocation.

Is this too technical?
Have I even answered your question? :-)

Regards,
Adrian
Actions
2. Re: How do the JSP pass the principal to the session bean?

ipozeng Feb 4, 2002 9:28 PM (in response to ipozeng)

Thanks for your answer first!

>>The proxy running on the tomcat VM retrieves the
principal/credential from the SecurityAssociation
attached to the current thread and adds it to the
RemoteMethodInvocation.

How do i add principal/credential to SecurityAssociation?Up to now i have setup principal and role on jboss side.

>>SSL
Do you mean we need to build a SSL connection between tomcat and jboss? But how do i do it?
Now the apache is connected with tomcat by using mod_webapp.so.And the user will use https:// to visit our site.Whether or not i need to build a ssl connection between apache and tomcat?
i am a newbie for security.Any suggestion is appreciated!

Best Retgards!
Actions
3. Re: How do the JSP pass the principal to the session bean?

adrian.brock Feb 5, 2002 5:25 AM (in response to ipozeng)

You don't set the SecurityAssociation, instead you use
your web.xml to configure security.

If you follow the links in the FAQ to the testsuite
and the WebIntegrationUnitTestCase, you'll find an
example of a secure web-app that calls ejbs.

Alternatively, for a better understanding you might
look at this link. (It's more explains JBossSX not
your exact problem).

http://www.jboss.org/online-manual/HTML/ch09.html

Regards,
Adrian
Actions
4. Re: How do the JSP pass the principal to the session bean?

adrian.brock Feb 5, 2002 5:33 AM (in response to ipozeng)

The SSL part is for communication between Tomcat and
JBoss. You are running on different machines I think?
This is not the same as the SSL connection to the outside
world from the Web Server.

Somebody could "sniff" the packets going between
Tomcat and JBoss to discover the principal/credential,
if they have access to the network for that connection.

Regards,
Adrian
Actions
5. Re: How do the JSP pass the principal to the session bean?

ipozeng Feb 18, 2002 8:03 PM (in response to ipozeng)

Thank you very much!
I think i need to look into tomcat doc now.In fact i donot know how to build a SSL connection between tomcat and JBoss :(

Best Regards!
Actions

Go to original post