6 Replies Latest reply on May 18, 2005 11:56 AM by tcherel

JAAS in servlet calling EJBs

tcherel May 17, 2005 4:08 PM

I have spent quite some time on JAAS in a pure EJB environment (remote EJB client calling server side EJBs) and I believe that I undersand how this is working.

I was now wondering how this is working when the client application is a web application going through a servlet that then accesses the backend EJBs.

I saw quite a few forum post on the subject, but none of them gave me the overall picture on how this is working.

I guess the first "basic" question is how the security context (security association) is associated to an HTTP request before backend's EJBs are invoked.
I can imagine a "few" solutions:

1) The first approach would be to go through JAAS authentication (ClientLoginModule) at each HTTP request. This seems a little "brutal" especially if the "client" JAAS configuration contains other JAAS login modules that might perform real authentication work.

2) There is this multi-threaded option of the ClientLoginModule that will store the security association at the thread level. But this will assume that all HTTP request from a given client are handled by the same thread, which I am not sure is guaranteed.

3) Using the HTTP session to cache the association and restore it at each
new HTTP request for the same HTTP session.

4) Any other solutions I did not think of.....

Any hints on how JBoss does it (from a general architecture point of view)?

Thanks.

1. Re: JAAS in servlet calling EJBs

starksm64 May 18, 2005 10:31 AM (in response to tcherel)

What is wrong with chap8 in the admin devel guide which describes this?
Actions
2. Re: JAAS in servlet calling EJBs

tcherel May 18, 2005 10:55 AM (in response to tcherel)

The one I have is the 3.2.X version.
It explains very well how this is done from an EJB container and EJB client point of view, but it is not very explicit on how this is working when integrated with a Servlet container like tomcat.
Is there a more recent version with more details on this subject?

Thomas
Actions
3. Re: JAAS in servlet calling EJBs

starksm64 May 18, 2005 11:20 AM (in response to tcherel)

From a high level it is just the same as the ejb container, there is an interceptor (tomcat valve) which propagates the current security context to the request. Specifically, org.jboss.web.tomcat.security.SecurityAssociationValve.
Actions
4. Re: JAAS in servlet calling EJBs

tcherel May 18, 2005 11:26 AM (in response to tcherel)

I see (I was actually currently digging into that - see related post I sent earlier).

I am also assuming that this valve is also populating the credential cache or something like that.
What I mean is once the web container has authenticated the user, even though my EJB are also configured with a security domain, a second authentication is not performed for the EJB.
Just setting the security assocations is not enough for the EJB authentication to not take place, isn't it? The credential cache must be populated or something must tell the EJB container to not go through the JAAS authentication again. Correct?

Thomas
Actions
5. Re: JAAS in servlet calling EJBs

starksm64 May 18, 2005 11:38 AM (in response to tcherel)

A single security domain has a single cache. There may be other higher level caches, but the same Subject with the custom principal added by the original authentication is there.
Actions
6. Re: JAAS in servlet calling EJBs

tcherel May 18, 2005 11:56 AM (in response to tcherel)

Got it.
I know understand better how the identity is propagated between the tomcat web container and JBoss.
Thanks for the help.

Thomas
Actions

Go to original post