1 Reply Latest reply on Sep 21, 2004 10:53 AM by Dan Thompson

    Help... I'm just flogging at this

    Dan Thompson Newbie

      OK I have a secure EJB app which uses LDAPAuthentication. I have several web apps that go against it. Secure and not secure. The secure web apps go against the same LDAP, using the same security domain, and all is happy. They can call the EJBs with no problem.

      The unsecure web app needs to act as a security proxy when it goes against the EJB server, That is, users need not log in, the web app itself needs to provide credentials.

      I have read the Chapter 8 over and over for the last 2 days. I've tried a wide variety of Login Modules in various combinations.

      I think the unsecured web app needs to have some security contraints in the web.xml, otherwise the web container won't have a Principal to pass to the EJB container and I will always see Authentication exception, principal=null Is this true or not?

      Next, if I have security-constraints in the web.xml, I will also need to define BASIC authentication, which means a dialog will appear, which is also not what I want. I want the web container to use some pre-configured username (and password?) in all cases for this web app. SO is there some way to use a LoginModule to provide username and password in lieu of getting it from the user?

      There is some discussion in the docs about the UsersRolesLoginModule, and having the unauthenticatedIdentity property set. But when I do this (setting it in the application-policy for the web server), the EJB server tries to authenticate against LDAP as I would expect and fails with Authentication exception, principal=null.

      Then I was thinking, why do I need to authenticate against the EJB server at all, if I've already authenticated in the web server? Isn't the principal supposed to auto-magically get sent over as part of the EJBContext when I get the home interface or do the ejbCreate or something? And is there a difference in the way local and remote beans do this? Is the EJB server actually authenticating on each and every call? It can't be. It can't be.

      I'm deep in the muck. I remember from my J2EE training that this is really easy to do, and I am just having a heck of a time trying to figure it out in JBoss 3.2.3.

      dt

        • 1. Re: Help... I'm just flogging at this
          Dan Thompson Newbie

          What I ended up doing, and I'm not sure this is the optimal solution, is I wrote a login handler that I then implement in my "unsecured" servlets.

          The advantage is that this login handler can set the credentials as it needs, and then the servlet can act as a security proxy for incoming HTTP even though the HTTP is hitting unsecured pages. Since my servlet is the gateway, it always sets credentials for the eventual calls into the EJB tier.

          This seems to give me exactly the behavior my customer thinks he wants. ie. stuff coming in through SOAP can hit only those EJBs that are open to a SOAP_USER.

          thanks all\
          dt