2 Replies Latest reply on Jun 23, 2004 3:29 AM by ronaldoc

[ Confirm my doubts ] JBoss does not need the JAAS Login con

ronaldoc Jun 22, 2004 10:05 PM

Context:

A webapp in Tomcat accessing session beans.
The web and the EJB container are defined to be under the same security domain.

Conclusion:

In this environment, we don't need to specify a JAAS login configuration file e.g. auth.conf because the security interceptor will catch unauthenticated access to web assets and forward authentication to the JAAS. Correct ? Within JBoss, the login-config.xml in each server context serves as a replacement for the auth.conf file.

Please correct me if there's anything wrong with my perception above.

Regards,

Roonaldo
Euroo 2004

1. Re: [ Confirm my doubts ] JBoss does not need the JAAS Login

blackers Jun 22, 2004 11:29 PM (in response to ronaldoc)

I am only new to JAAS in JBoss and as such may not be right, however I don't think your statement is correct.

My understanding is that although you do not need to specify an auth.conf in your webapp you still have to specify the security domain that you are working with. jboss-web.xml is used to store this data and acts as a replacement for auth.conf if you like. The login-config.xml is not a replacement for auth.conf as your auth.conf would only generally point to a configuration in login-config.xml that is wishes to use (not replace its use, at least that is my understanding on how it integrates with JBoss and EJB etc..) So my understanding is that jboss-web.xml is more of a replacement of auth.conf for your webapp.

Hope this helps, somebody correct me if I am wrong.

Mat
Actions
2. Re: [ Confirm my doubts ] JBoss does not need the JAAS Login

ronaldoc Jun 23, 2004 3:29 AM (in response to ronaldoc)

Mat,

So my understanding is that jboss-web.xml is more of a replacement of auth.conf for your webapp.

ok. What you said makes sense.

Ronaldo
Actions

Go to original post