5 Replies Latest reply on Mar 18, 2003 12:02 PM by Alan

    Undesirable Authentication "Feature"

    Alan Newbie

      I have configured a simple case with JBoss in one JVM and Tomcat in another. JBoss is configured to use the LDAPLoginModule and is using this quite correctly, as proven by a small test client. JBoss has one SessionBean deployed in it which has method level permissions set on it.

      Tomcat is correctly configured to use my auth.conf and the ClientLoginModule, and uses a callbackhandler that I wrote to authenticate. I have two pages in tomcat: login.jsp (performs login using the clientLoginModule) and invoke.jsp (does a JNDI lookup and invokes a method on an EJB inside JBoss). If I try to access invoke.jsp without logging in, I get a securityexception (this is good) which goes away if I hit login.jsp first (this is also good). However, if I go to login.jsp and a DIFFERENT client on a DIFFERENT machine goes to invoke.jsp, that client is authenticated, and can invoke the EJB method.

      Is there a way around this? I HOPE so!