0 Replies Latest reply on Feb 9, 2005 3:59 PM by fmaredia

    JAAS and JBoss Security Design

    fmaredia

      The following is from my LoginAction class:

      try
       {
       SecurityAssociationHandler handler = new
       SecurityAssociationHandler();
       SimplePrincipal user = new SimplePrincipal(username);
       handler.setSecurityInfo(user, password.toCharArray());
       LoginContext loginContext = new LoginContext("MySqlDBRealm", (CallbackHandler)handler);
       loginContext.login();
       Subject subject = loginContext.getSubject();
       Set principals = subject.getPrincipals();
       principals.add(user);
      
       InitialContext ctx = new InitialContext();
       Logon logon = (Logon) ctx.lookup(Logon.class.getName());
       System.out.println("Addition: "+logon.add(2, 2));
       System.out.println("Subtract: "+logon.subtract(4, 2));
      
       }catch(Exception e)
       {
       System.out.println("Incorrect password or username");
       }
      


      Sorry it is difficult to explain. I am sure I am not properly thinking. What I want to know is that I can successfully execute my EJB since I logged in, but if another class was to excute the methods on the EJB, I get a principal=null error. What I want to know is do I put the LoginContext variable in my session scope? If I don't than do I have to login each time before I execute a call in the EJB. In a web application you log the user in once. After that you would probably put something in the session scope to avoid them having to log in again and again. Can someone suggest to me how they implemented such a methodology?