0 Replies Latest reply on May 29, 2003 8:07 AM by johndoekyrgyz

    Security during initialization of web application, please ad

    johndoekyrgyz Newbie

      I am creating a web application using struts. Many of my actions communicate with secure ejbs. I would like to place initialization code, which needs to use some of these secured beans, in the constructors of my Action objects. The problem is that the servlet conta
      2. When a user makes a request that results in calls to the EJB iner doesn't seem to have been logged in at this point. It is not until a user is logged in that I seem to be able to access my EJBs, and the only based on the security roles available to the user. What I would like to do is the following.

      1. The constructors perform initialization by accessing methods on the EJB layer with the "servlet-layer" role.

      2. When a user makes a request that results in calls to the EJB layer the user's security settings should determine whether or not those calls can be made.

      Currently I am experimenting with performing a JAAS login in the constructor method to authenticate the servlet layer so that it can use resources in the EJB layer. This is working but all calls from the servlet layer then use the security settings generated in that first login, and the security settings of individual users making requests to the servlet layer to not get propigated to the EJB layer.

      I am sure that this is a relatively common problem with a simple solution. Unfortunately I have not been able to find a similar example on the web. Any advice or suggestions that anyone can think of would be apreciated.