-
1. Re: JAAS and non-container-managed authenticated web-apps.
jensr Sep 21, 2003 2:25 AM (in response to jensr)After some more investigation, I found the answer.
It was wrong to use explicit authentication inside
a non-authenticated webapp.
The solution was instead to declare a run-as role in
web.xml and unauthenticatedIdentity in login-config.
To be more concrete.
--- web.xml ---
...
<servlet-name>Echo</servlet-name>
<servlet-class>server.web.EchoServlet</servlet-class>
<run-as>
<role-name>foobar</role-name>
</run-as>
...
<security-role>
<role-name>foobar</role-name>
</security-role>
--- END web.xml ---
--- login-config.xml ---
<application-policy name = "foobar">
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
<module-option name = "unauthenticatedIdentity">nobody</module-option>
</login-module>
</application-policy>
--- END login-config.xml ---
--- bean lookup ---
private FoobarLocal getBean() {
FoobarLocalHome h = (FoobarLocalHome) new InitialContext().lookup("ejb/FoobarLocalHome");
return h.create(...);
}
--- END bean lookup ---
However, there is one remaining problem.
The web.xml declared run-as for a particular servlet.
This implies that a JSP based webapp, needs to declare
a servlet clause with a run-as, for every JSP page that
a) creates
and/or
b) invokes
a bean.
It also complicates matter, a lot, for a struts based webapp.
What I really want to do is simply declare run-as for the
whole webapp.
Any comments on this are highly appreciated.