0 Replies Latest reply on Apr 22, 2003 8:13 AM by ikloeckl

    Resource authentication (jboss 3.0.4)

    ikloeckl

      Hi everyone,
      I examined protected resources (especially JMS, JDBC), and left with some observations and questions.

      In theory, for unprotected resources I do the following:
      - declare resources in ejb-jar.xml/web.xml with <res-auth>Container</res-auth>
      - get resource in the code with
      javax.jms.QueueConnection o = factory.createQueueConnection();
      java.sql.Conneciton o = oDS.getConnection();

      (without username/passwords). That works fine, of course.

      Now I protect the resources. For JMS, I create the queues/topics in a service file with optioinal attributes "SecurityManager" and a SecurityConf. Here I can set read/write/create permissions.
      The accounts usable for such a JMS object are set in jbossmq-state.xml

      JDBC datasources can be protected by DB-related tools.

      Now I can declare the resource object with <res-auth>Container</res-auth> or <res-auth>Application</res-auth>.

      I have the choice of getting the resources i nthe code without login data or with login data like this:
      javax.jms.QueueConnection o = factory.createQueueConnection(user, pwd);
      java.sql.Conneciton o = oDS.getConnection(user, pwd);
      I think specifying login data are connected with res-auth=Application, and leaving them out is linked to res-auth=Container.

      I made the following observatiosn:
      1) Regardless of the res-auth setting, if i supply login data (user/pwd) while getting/creating the connection, these settings are ALWAYS used and checked.
      2) Regardless of the res-auth settings, if i specify login attributes in the service file for a JDBC resource, these infos are used.

      My questions are now:
      a) Is 1) correct? Are explicitly given login data really used regardless of the res-auth setting?
      b) I thought <res-auth>=Container would allow me to get connections WITHOUT specifying login data in the code. But then, where else can I specify them? In case of JDBC, in the service file are some attributes related to this, but for JMS??
      c) Are JDBC login attributes really preferred over the res-auth setting? What role plays the "ByContainer" or "ByApplication" value for "Criteria" attribute?
      d) Does jboss use the res-auth value at all??

      Thanks very much,
      Ingo