4 Replies Latest reply on Jun 24, 2002 8:51 AM by amrchary

    Tomcat 4 Jboss 3 standalone security question

    dcowan

      I have searched the forums and never found an answer on how to make tomcat running standalone use JBoss security. The integrated tomcat jboss works fine when I try to use form based logins in tomcat to access ejb's. However when I go to a "production" type environment with tomcat on one machine and jboss on another I cannot get a login to validate. I am sure there is some setup that needs to be done on tomcat to make it use jboss's security realm. In this standalone environment I have jndi working from tomcat so I can access my ejb's if I don't use any security. As soon as I enable security in jboss and in tomcat I can not even login to tomcat. I have seen posts stating that what I am trying to do is not possible. What would need to be done to make it possible. Could a custom security provider be written. Any help on this would be greatly appreciated.

        • 1. Re: Tomcat 4 Jboss 3 standalone security question
          starksm64

          You would have to write a custom realm that performs the steps of authenticating the servlet caller just as any other secure ejb client.

          • 2. Re: Tomcat 4 Jboss 3 standalone security question
            dcowan

            Ok. I would think someone would have written one already. Since it sounds like no one has could you give me a little more description of everything involved. I've got a basic idea of what needs to be done, but I am sure there are details I am missing.

            • 3. Re: Tomcat 4 Jboss 3 standalone security question
              jwkaltz

              We have a custom form, where username and password are entered and sent to a servlet. In this servlet, we do the jboss client stuff (meaning, the client-side lc.login() stuff as described in the documentation). Then we make an ejb call (to a secured ejb); if this call fails due to a security error, then login was not successful.

              I hope this leads you on the write track.

              BTW we are using Tomcat 3.3 as standalone, calling JBoss 2.4.4

              • 4. Re: Tomcat 4 Jboss 3 standalone security question
                amrchary

                Do you call lc.login() on every HTTP request or do you do so just ONCE per user session?

                Thanks,

                Chary

                > We have a custom form, where username and password
                > are entered and sent to a servlet. In this servlet,
                > we do the jboss client stuff (meaning, the
                > client-side lc.login() stuff as described in the
                > documentation). Then we make an ejb call (to a
                > secured ejb); if this call fails due to a security
                > error, then login was not successful.
                >
                > I hope this leads you on the write track.
                >
                > BTW we are using Tomcat 3.3 as standalone, calling
                > JBoss 2.4.4