1 Reply Latest reply on Sep 25, 2001 11:28 PM by Scott Stark

    proposal for simpler client-side handling of JBoss security

    J. Wolfgang Kaltz Novice

      Hi everyone & Scott if you're reading this thanks for your excellent article in JavaWorld, it really helped me to get an understanding of the not-so-trivial topic.

      As I understand, clients of JBoss (stand-alone or servlets) need to do always the same thing : perform a JAAS login with a configuration of org.jboss.security.ClientLoginModule - this helps to bind the user data to JBoss, and the JBoss server then actually performs authentication using one of the "real" JBoss LoginModules or a custom one. At least, this seems to be the preferred way of doing things.
      As I tried to explain to our servlet programmer (Cocoon actually, to be precise) the steps he had to do to be able to call a (secured) EJB, it occurred to me that it is a lot of work for doing always the same thing, that is to trigger the execution of the JBoss ClientLoginModule. So I developed my own implementation of javax.security.auth.login.Configuration to contain just this one JBoss client configuration, and wrapped all the login stuff in a JBossClient class, so a developer of servlets (or whatever) which call JBoss EJB's just needs to use this one class, and doesn't need any auth.conf file and Jaas code.

      Does this seem like a reasonable way of doing things ? Might this actually be useful as a JBoss client-side plugin in the jboss-jaas.jar, for accelerating client development ?
      If anybody thinks this might be useful, I'll be glad to post or mail the code.