5 Replies Latest reply on Feb 18, 2002 8:03 PM by IPOz

    How do the JSP pass the principal to the session bean?

    IPOz Newbie

      Hi,friends
      My web container(tomcat) and ejb container(jboss 2.4.4) run on different VM.Now i have set the role in DD.
      What i want to know is how the tomcat passes the caller info to jboss?


      Best Regards!

        • 1. Re: How do the JSP pass the principal to the session bean?
          Adrian Brock Master

          It is passed in a MarshalledObject called
          RemoteMethodInvocation. You might consider using
          ssl for this connection if snooping is an issue.

          The proxy running on the tomcat VM retrieves the
          principal/credential from the SecurityAssociation
          attached to the current thread and adds it to the
          RemoteMethodInvocation.

          The interceptor stack on the JBoss VM uses the information
          as required, e.g. the security interceptor checks and
          sets up the SecurityAssociation for the ejb container
          using information in the method invocation.

          Is this too technical?
          Have I even answered your question? :-)

          Regards,
          Adrian

          • 2. Re: How do the JSP pass the principal to the session bean?
            IPOz Newbie

            Thanks for your answer first!

            >>The proxy running on the tomcat VM retrieves the
            principal/credential from the SecurityAssociation
            attached to the current thread and adds it to the
            RemoteMethodInvocation.

            How do i add principal/credential to SecurityAssociation?Up to now i have setup principal and role on jboss side.

            >>SSL
            Do you mean we need to build a SSL connection between tomcat and jboss? But how do i do it?
            Now the apache is connected with tomcat by using mod_webapp.so.And the user will use https:// to visit our site.Whether or not i need to build a ssl connection between apache and tomcat?
            i am a newbie for security.Any suggestion is appreciated!

            Best Retgards!

            • 3. Re: How do the JSP pass the principal to the session bean?
              Adrian Brock Master

              You don't set the SecurityAssociation, instead you use
              your web.xml to configure security.

              If you follow the links in the FAQ to the testsuite
              and the WebIntegrationUnitTestCase, you'll find an
              example of a secure web-app that calls ejbs.

              Alternatively, for a better understanding you might
              look at this link. (It's more explains JBossSX not
              your exact problem).

              http://www.jboss.org/online-manual/HTML/ch09.html

              Regards,
              Adrian

              • 4. Re: How do the JSP pass the principal to the session bean?
                Adrian Brock Master

                The SSL part is for communication between Tomcat and
                JBoss. You are running on different machines I think?
                This is not the same as the SSL connection to the outside
                world from the Web Server.

                Somebody could "sniff" the packets going between
                Tomcat and JBoss to discover the principal/credential,
                if they have access to the network for that connection.

                Regards,
                Adrian

                • 5. Re: How do the JSP pass the principal to the session bean?
                  IPOz Newbie

                  Thank you very much!
                  I think i need to look into tomcat doc now.In fact i donot know how to build a SSL connection between tomcat and JBoss :(

                  Best Regards!