Complex question - role of ClientLoginModule vs DatabaseServ
pharaohh Jun 18, 2003 8:55 AMAfter reading the JBoss book we purchased and the quick start guide, I've found that the ClientLoginModule doesn't actually authenticate anything. From the book:
"Note that this login module does not perform any authentication. It merely copies the login information provided to it into the JBoss server EJB invocation layer for subsequent authentication on the server."
I checked the source code and there is no jndi lookups going on, and according to the above quote, I'm assuming the ClientLoginModule doesn't access any server. To the best of my knowledge when an EJB remote interface is looked up from JNDI sometime later, there is something that "plugs in" the previously collected ClientLoginModule data into the server when calling the ejb methods (which is then intercepted by the SecurityInterceptor). Then the server actually executes the DatabaseServerLoginModule (or other, depending on your authentication store) using the information that was stored on the standalone client during initial execution of the ClientLoginModule. Since the DatabaseServerLoginModule is executed for every EJB method call declared to be secure, an authentication cache can be maintained to increase performance to prevent redundant authentications.
Am I correct in my assumptions? I don't believe the books are too clear on this subject.
And, if I'm assuming correctly, this means that there is no "instantaneous" authentication of a user from a standalone client. They are only "truly" authenticated when executing an ejb interface method (and they are authenticated every time they execute a method, unless using the cache).
Now, keeping the above information in the back of your mind, this is what I initially wanted to accomplish:
A standalone client is started, and the first thing they see is a login screen. Upon entering a username and password, and clicking enter or submit (or some other swing button), they should be told immediately if the username is valid, or if the password is incorrect for that username, or if their password has expired (and the gui subsequently redirects them to a password update page or something).
Now, according to the information on the ClientLoginModule, this would not be possible, since it doens't talk to the server to determine if the username is correct, etc.
So, is the best solution to create a "LoginManagerBean" EJB implementation that has methods that would tell me this information? Then the standalone client code would do a jndi lookup on this bean and execute all the methods it needs to determine that the user has authenticated properly. Finally, the ClientLoginModule would be executed with the username/password just authenticated. This would ensure calls to secure ejb methods on the server would operate as specified in the manual (ClientLoginModule -> SecurityInterceptor -> DatabaseServerLoginModule).
Can anyone verify if this is an optimal solution?
Thanks so much in advance for any replies,
Les