-
1. Re: App-based authentication with declarative authorization
First I should say I am no kind of expert in this field. But anyway, if I understand your question, I am just trying to manage the same thing with no success at all. I think this should be possible by setting appropriate <run-as>roleName</run-as> element for your login servlet in web.xml descriptor. But I have no luck with this so far. Furthermore, I found a note in the JBoss book that this configuration is unsupported by JBoss as of yet.
I still hope this is somehow possible to do with JBoss. In my point of view declerative security is pretty unusable without this. In case you find a way how to do that post a message, please. -
2. Re: App-based authentication with declarative authorization
glum,
I might have found a solution for you, though it is not directly applicable in my case. My problem is with declarative 'web' security. Yours is with declarative 'ejb' security.
Please read the article in this url:
http://www.luminis.nl/publications/websecurity.html
You could use the ClientLoginModule (described in the article) from your servlet to log in to the ejb security layer. Since your servlet is unsecured, you cannot get the user-id and password from the HttpSession as described in the article. Instead, you could use a fixed user-id and password, probably passed as init-parameters to the servlet from web.xml. This user-id should have the role required for the ejb.
Let me know if this works for you. -
3. Re: App-based authentication with declarative authorization
Thanks a lot for your message. I am running out of the time, so I have moved securing application down in my priority list :-( Once I have finished other tasks, I'll certainly go back and follow your suggestions.
I have a suggestion for you too, but I have no idea if it is possible or not. Maybe you can still use the Form - based authentication. Instead of submitting login form to j_security_check action, submit it to some Servlet which will append context URI or whatever you want to j_username request parameter. Then, it will finally forward request to j_security_check action.
Again, I have no idea if this is applicable to you or even possible at all.
- glum -
4. Re: App-based authentication with declarative authorization
I did try forwarding from a custom Login servlet, but it gives a message in the browser:
400 - j_security_check not found.
If I do a sendRedirect from the servlet, it works fine. But then, I have to append the parameters to the URL and then the password is visible in plain text in the browser URL address field. -
5. Re: App-based authentication with declarative authorization
I did try forwarding from a custom Login servlet, but it gives a message in the browser:
400 - j_security_check not found.
If I do a sendRedirect from the servlet, it works fine. But then, I have to append the parameters to the URL and then the password is visible in plain text in the browser URL address field. -
6. Re: App-based authentication with declarative authorization
I did try forwarding from a custom Login servlet earlier, but it gives a message in the browser:
400 - j_security_check not found.
If I do a sendRedirect from the servlet, it works fine. But then, I have to append the parameters to the URL and then the password is visible in plain text in the browser URL address field.