3 Replies Latest reply on Sep 3, 2003 4:58 AM by Peter Doornbosch

    LoginContext.login() should perform login check

    jwohlrab Newbie

      Hi,
      I'm experminenting with JBoss 3.2 security using the UsersRolesLoginModule. On the Java client (not a web client) I use ClientLoginModule. Using the ClientLoginModule the call LoginContext.login() seems just to store the login credentials. It does not perform a real login request to the server. Just at the moment the first EJB activity is initiated the security check is done.
      Is it possible to perform the "real" login while calling LoginContext.login(). Using the UsersRolesLoginModule on the client I get the requested behaviour, but it means I have to deploy users.- & roles.properties files on each client :((
      Thank you very much for your attention.
      --Joern

        • 1. Re: LoginContext.login() should perform login check
          Tilo Thiele Newbie

          You are right. Deploying a full user directory on each client is not a good idea. Don't you have a 'global' directory availabe? So you can use e.g. LDAP.

          • 2. Re: LoginContext.login() should perform login check
            jwohlrab Newbie

            For production we intend to use a directory service. But then it must be reachable from the client.
            However, would the design allow a client login module (i.e.
            a ClientUsersRoleLoginModule) which can directly delegate the login check to the app server?
            Regards,
            --Joern

            • 3. Re: LoginContext.login() should perform login check
              Peter Doornbosch Apprentice

              > Using the
              > ClientLoginModule the call LoginContext.login() seems
              > just to store the login credentials.

              That is right.

              > It does not
              > perform a real login request to the server. Just at
              > the moment the first EJB activity is initiated the
              > security check is done.

              That is because there is no such thing as "doing a login on an EJB". The security check has to be done on any EJB call (not just the first).

              > Is it possible to perform the "real" login while
              > calling LoginContext.login(). Using the
              > UsersRolesLoginModule on the client I get the
              > requested behaviour, but it means I have to deploy
              > users.- & roles.properties files on each client :((

              Yes, this is the way to go; this is how JAAS works. You configure an additional login module that performs the check you need. There is no need to stick to UsersRolesLoginModule: you can use a module that actually performs the login check on the server.

              Another option that might better suit your needs is to call a (dummy) secured EJB method at the moment you want username/password to be validated, e.g. when the user logs in into the java client.

              Hth
              Peter