2 Replies Latest reply on Jul 8, 2003 10:32 PM by thomas.diesler

    JBoss security with web apps

    ihunter

      Hi Folks,

      I have written a JBoss/Web app and got security working! However, the server looses the principal after a few requests.

      To work around, I have (in desperation) used stateful session beans instead of stateless for the session facades - the problem went away (I keep a handle to the session bean in the web session). I would *love* to use stateless beans - they're more appropriate.

      I've set up jboss-web.xml with the security domain. Is there anything else I could do which would tie the web/jboss security without resorting to stateful beans.

      Many Thanks
      Ian Hunter

        • 1. Re: JBoss security with web apps
          andyjeff

          When you say the server 'loses' the principal after a few requests, are you sure it has lost it ? One thing that it does do is when calling a web method that doesnt have security constraints, it will return NULL as the userPrincipal etc. It only returns the userPrincipal when the method invoked has security specified on it.

          What you can do is store the principal and any roles in the users HttpSession ... since that is around for the duration, and check on it from there ... that way you neednt bother with the overhead of having beans for this.

          • 2. Re: JBoss security with web apps
            thomas.diesler

            Maybe this is basic.

            During the login action I can store the Subject returned from the LoginContext in the HttpSession. On subsequent requests I'd like to use this Subject to call my stateless session beans.

            I cannot figure out how to tell the web layer which Principal to use when calling the EJB layer.