-
1. Re: Servlet Run-As & unauthenticatedIdentity
cobraflow Feb 13, 2003 10:38 AM (in response to cobraflow)...A little more info....
1) The <unauthenticated-principal> is ignored if you specify a <security-domain> in your jboss.xml
2) The security manager does not try to authenticate if the request comes from my load-on-startup servlet (no user interaction) and hence does not get either the <unauthenticated-principal> OR the unauthenticatedIdentity (specified in the login-config.xml) so throwing the 'standard' Insufficient method permissions, principal=null,... Exception. Without a principal, the <run-as> role is never checked.
...anybody any ideas?
Lewis -
2. Re: Servlet Run-As & unauthenticatedIdentity
petertje Feb 13, 2003 3:31 PM (in response to cobraflow)> 2) The security manager does not try to authenticate
> if the request comes from my load-on-startup servlet
> (no user interaction) and hence does not get either
> the <unauthenticated-principal> OR the
> unauthenticatedIdentity (specified in the
> login-config.xml) so throwing the 'standard'
> Insufficient method permissions, principal=null,...
> Exception. Without a principal, the <run-as> role is
> never checked.
Right. A servlet 'login' is triggered by a http request for a secured page. If you need security context set in a servlet, you need to do it yourself: i.e. perform a jaas login (with ClientLoginModule) or use JBoss specific API calls to set them. Please note that a jaas ClientLoginModule associates security context with the current thread only.
Hth
Peter
Btw. i think JBoss comes with a timer-service (MBean) that can execute scheduled actions; maybe you can use this also.