4 Replies Latest reply on Mar 5, 2003 3:19 PM by Stephane

    Multi-level authentication

    Stephane Newbie

      Hi,

      I have a GUI client. It makes a user authentication with user name and password.

      It call a session bean (stateless) to make special work.

      This session bean must access BMP with an "admin" authentication to have full access rights principal...

      ---
      The GUI client must make an authentication with a user/password like "guest, guest" to access a session bean.

      The session bean must make an authentication with a user/password like "admin, admin" to access a Entity BMP.
      The Entity BMP's principal must be "admin" NOT "guest"...

      ---
      How can I do that ???

      Thanks you for help me.

        • 1. Re: Multi-level authentication
          Peter Doornbosch Apprentice

          use the runAs security identify

          in your ejb-jar.xml:

          ...
          <security-identity>
          <run-as>
          <role-name>admin</role-name>
          </run-as>
          </security-identity>


          hth
          Peter

          • 2. Re: Multi-level authentication
            Stephane Newbie

            Thanks but I'am working with EJB 1.1 !!!
            Run-As tag is only available on EJB 1.0 and 2.0.

            How can I resolve my problem in EJB 1.1 ???

            Thanks

            • 3. Re: Multi-level authentication
              Peter Doornbosch Apprentice

              > Run-As tag is only available on EJB 1.0 and 2.0.
              Surprising, but correct.

              > How can I resolve my problem in EJB 1.1 ???
              I'm afraid you can't. At least not in a appserver-independant way. If that is not your concern, you could try to set the security credentials yourself by calling SecurityAssociation.setPrincipal() etc. Never tried it myself though, so i can't garantuee it works....

              Good luck! sorry i can't help you any better ;-(
              Peter

              • 4. Re: Multi-level authentication
                Stephane Newbie

                Hi,

                I'm using JBoss 3.0.4.
                But, the "run-as" tag (in ejb-jar.xml) doesn't work.


                <ejb-name>CommandDispatcher</ejb-name>
                ...
                ...
                <ejb-class>...</ejb-class>
                <session-type>Stateless</session-type>
                <transaction-type>Container</transaction-type>
                <security-role-ref>
                <role-name>Admin</role-name>
                <role-link>Admin</role-link>
                </security-role-ref>
                <security-role-ref>
                <role-name>User</role-name>
                <role-link>User</role-link>
                </security-role-ref>
                <security-identity>
                <run-as>
                <role-name>Admin</role-name>
                </run-as>
                </security-identity>


                This session bean access a lot of BMP.
                I use a simple user login name and password like "guest" linked to the "User" role.

                In the BMP, the call of Context.isCallerInRole("Admin") returns false !!!
                And the call of Context.isCallerInRole("User") returns true.

                Normaly, I thing the two calls must return true !!

                Thanks for your help.