1 Reply Latest reply on Jul 10, 2004 11:54 AM by Scott Stark

    How to share JAAS login context for multiple EJB calls?

    Deng Wu Newbie


      Two EJBs are deployed in JBoss, each belonging to a separate application
      with its own .ear file (they do not have to be deployed in the same
      container). One bean calls the other for some services, and perfoms
      the JAAS login (and does not authenticate as JBoss doc suggests) for the
      clients before invoking EJB calls to the other bean on behalf of the clients.
      The other bean authenicates the caller's credentials before actually
      performing the requested task.

      It is desirable that the calling bean is able to use the same security
      context for a group of clients (they have the same roles) without
      creatiing the LoginContext each time before invoking the EJB call
      to the other bean. It turned out that if the EJB object handle to the
      other bean is kept and re-used for multiple method invocations, the
      other bean fails to authenticate the caller after the first successful
      invocation. What is broken here?

      The questions is: can a JAAS LoginContext shared by multiple EJB
      method invocations on the cached reference (client side stub) to
      a remote EJB ?

      Any insights or suggestions would be highly appreciated.

        • 1. Re: How to share JAAS login context for multiple EJB calls?
          Scott Stark Master

          The security context is a property of the call and has to be established every time. A LoginContext is just the mechanism used to associate the incoming security context with the container. You cannot share LoginContexts in a multi-threaded multi-user envrionment like a server. The default behavior of the org.jboss.security.ClientLoginModule used by clients is to associate the security context globally across all callers such that a single login affects all subsequent calls. This is still not sharing LoginContext, its simply relying on the side effects of the configured login modules having global semantics.