0 Replies Latest reply on Nov 5, 2001 2:14 AM by Ludovic Deravet

    JAAS Security design issue

    Ludovic Deravet Newbie

      Hi all,

      I've a question about how JAAS is working within JBoss. I'm in charge in securing our application so I've created some custom login modules ( that use SRP, certificate, smart card ) that populate a Subject object. This Subject object contains an identity and roles that will give access to some EJB on the server.

      In the specification, it's stated that when making a call to in EJB ( using Subject.doAs( subject, action ) ), the populated subject is passed to the server. But it seems that this is not the case.

      Indeed, when my client calls an EJB only roles that come from roles.properties ( since i'm using the default UserRolesLoginModule ) are checked against that EJB's method permissions.

      Did I miss something ? If yes, can someone explain me how I can get on the server the Subject populated on the client side ?

      Thanks a lot for you help.