Hi, I suppose I'm missing a point somewhere, so please tell me.
I just don't see in what way JAAS authentication can guarantee knowledge of a client stand alone application user.
Example: I'm writing a client application which connects to EJBs. I've used JAAS authentication to authenticate the user (lets say with NTLoginModule). This is on Windows XP.
Now my point is, basically anyone who has access to a computer with this application (with their own account of course) can use the application simply by editing and changing the login-configuration file and the JAAS security policy file. Am I right?
I must be missing a point here, or is JAAS authentication totally useless?
Which is why the server does its own authentication using the JAAS configuration established by the server admin. Clients are untrusted. Read the JAAS howto in this forum to get started.