some stuff learned:
- In my Wicket Base Page, I need to setup a Configuration that has my custom login module to setup stuff, roles, etc
- plus the ClientLoginModule which will setup propagation to the EJB layer (only this one does it, according to docs in some places)
- the LoginModule needs to setup the roles.
- In order to do so, it needs an instance of my "User" class, to get the roles from the database. To get to those, I need to lookup an EJB since the LoginModule does not have access to PersistenceContext et all
- and since I have a <s:security-domain> for <ejb-name>*</ejb-name> in my EJB layer, the one EJB that is used from the LoginModule must live in another place (WAR or different EAR) so it can be called to setup JAAS without an existing security-domain. (endless loop trying to setup security in order to setup security ... otherwise)
Phew, that was some work.
The only stupid thing I see now, is that JAAS is setup twice, once from WAR layer ("client") and once from EJB layer ("server"), if I saw that correctly.
Any ideas, suggestions, comments, etc so far anyone ?
In case you are trying to do something similar silly: DONT !
Save yourself 5 nights of frustating hacking, and just build your own @SessionScoped call context in the web layer, and check it with a standard default EJB interceptor at the ejb layer.
no magic involved, works in one night, 4 nights off to the pub !
Despite the ugly and silly LoginModule callback and JAAS Configuration coding (40+ lines to set a user and password you already have in two Strings), unless the WAR is not secured in itself, you will have to setup JAAS for every call, even AJAX etc, making it not easier with e.g. Wicket. And once you have that, you realize that JAAS/PicketBox will just "cache" the credentials on the server side for as long as it thinks is cool, allowing access to client you already have revoked access from. Code for clearing the JAAS cache found on the net would win some obfuscation contest, but will not work with a deployed (not configured in server) security-domain - only those defined in standalone.xml will be visible e.g. from CLI...