1 Reply Latest reply on Jul 10, 2004 11:54 AM by starksm64

How to share JAAS login context for multiple EJB calls?

dhwu Jul 8, 2004 3:10 PM

Two EJBs are deployed in JBoss, each belonging to a separate application
with its own .ear file (they do not have to be deployed in the same
container). One bean calls the other for some services, and perfoms
the JAAS login (and does not authenticate as JBoss doc suggests) for the
clients before invoking EJB calls to the other bean on behalf of the clients.
The other bean authenicates the caller's credentials before actually
performing the requested task.

It is desirable that the calling bean is able to use the same security
context for a group of clients (they have the same roles) without
creatiing the LoginContext each time before invoking the EJB call
to the other bean. It turned out that if the EJB object handle to the
other bean is kept and re-used for multiple method invocations, the
other bean fails to authenticate the caller after the first successful
invocation. What is broken here?

The questions is: can a JAAS LoginContext shared by multiple EJB
method invocations on the cached reference (client side stub) to
a remote EJB ?

Any insights or suggestions would be highly appreciated.

1. Re: How to share JAAS login context for multiple EJB calls?

starksm64 Jul 10, 2004 11:54 AM (in response to dhwu)

The security context is a property of the call and has to be established every time. A LoginContext is just the mechanism used to associate the incoming security context with the container. You cannot share LoginContexts in a multi-threaded multi-user envrionment like a server. The default behavior of the org.jboss.security.ClientLoginModule used by clients is to associate the security context globally across all callers such that a single login affects all subsequent calls. This is still not sharing LoginContext, its simply relying on the side effects of the configured login modules having global semantics.
Actions