Hi Kit,

I got the same problem.
Did you found a solution, that you propably ca provideß

Thanks,
Thomas


> Hi All.
>
> I have the following problem.
>
> I've implemented a custom JAAS login module which
> obtains user information form database. All works
> fine but there already exists a session EJB managing
> users in the database. It seems to be very attractive
> to use that EJB within the custom login module to
> access users information.
>
> Since that EJB is also used by other applications,
> it's methods are protected. To avoid recursive login
> module invokation the module must be associated with
> some identity. But it's not associated with any
> identity and the login module is invoked
> recursively.
>
> Is there any way to associate an identity with the
> custom login module so that the latter could invoke
> protected methods of EJB?
>
> Thanks, Kit.

Funny, but I too have that problem. I want to call methods on EJBs from my CustomLoginModule, is that possible?

/Mike

I too have this problem. Is it even possible to call methods on EJBs from a custom loginmodule?

/Mike

I guess it is a common problem. To terminate the recursive authentication, I used a reserved user - say "system", for which I did not make the EJB calls. Note I did use a password for this user which is known only within the server to prevent breach from external clients.

If there is a better approach, please let me know

-Nandak

I've found a the
org.jboss.security.auth.spi.RunAsLoginModule
that seems to be there just for this purpose, quote from the source:

** A login module that establishes a run-as role for the duration of the login
* phase of authentication. It can be used to allow another login module
* interact with a secured EJB that provides authentication services.

Does anyone know how to use it exactly?

I'll try it out and post my findings, if i get it to work.

From playing with the RunAsLoginModule, it seems to work if your login module only needs to access EJBs in the login() method. You would put it in your login stack before your own module, passing it a configuration parameter "roleName" whose value is the role you want your login module to run-as. When it's login() method is called it associates the specified role with the current thread.

The problem is if your commit() and/or abort() methods also want to access EJBs. RunAsLoginModule's own commit()/abort() removes the role from the current thread, and since it's before your module in the stack, the thread will no longer have the role when it gets to your module.

I need to access EJB's in commit(), so I'm going to have to modify my own login module to do the security association work RunAsLoginModule does.

Best,
Brian

how does it works?? do u store the login (username n password in the database?? )

do we need to use the j_username, j_password as the name of the textfield in the login form?

anyone can help?