-
1. Re: Undesirable Authentication "Feature"
petertje Mar 14, 2003 11:24 AM (in response to aweissman)This is caused by the fact the ClientLoginModule associates security context with the current thread, and tomcat using thread pooling for serving requests. Other symptoms are that the client that is logged in, sometimes appears not to be logged in either (because it is served by a different thread).
The solution is to do jaas login for each request. More explanation and code samples can be found at http://www.luminis.nl/publications/websecurity.html
Hth
Peter. -
2. Re: Undesirable Authentication "Feature"
aweissman Mar 14, 2003 11:27 AM (in response to aweissman)Thanks Peter for all the help and explanation.
-
3. Re: Undesirable Authentication "Feature"
aweissman Mar 18, 2003 11:35 AM (in response to aweissman)hey Peter - I assume you got all this working...
the only part I couldn't get is to have the web tier perform a JAAS login. right now, any credentials will get you in, even though only the correct credentials will allow you invoke ejb methods.
i can't find any correlation between the JAAS application specified in SecurityContextFilter, the one specified in auth.conf, and the one in login-config.xml in JBoss. Do you have any insight on how this should work?
Thanks in advance,
Alan -
4. Re: Undesirable Authentication "Feature"
aweissman Mar 18, 2003 11:49 AM (in response to aweissman)hey Peter - I assume you got all this working...
the only part I couldn't get is to have the web tier perform a JAAS login. right now, any credentials will get you in, even though only the correct credentials will allow you invoke ejb methods.
i can't find any correlation between the JAAS application specified in SecurityContextFilter, the one specified in auth.conf, and the one in login-config.xml in JBoss. Do you have any insight on how this should work?
Thanks in advance,
Alan -
5. Re: Undesirable Authentication "Feature"
aweissman Mar 18, 2003 12:02 PM (in response to aweissman)forgot to mention....
i think that the web's initial jaas login is not really being performed because nowhere do i specify where the jboss server is that it needs to perform the login on!