OK I have a secure EJB app which uses LDAPAuthentication. I have several web apps that go against it. Secure and not secure. The secure web apps go against the same LDAP, using the same security domain, and all is happy. They can call the EJBs with no problem.
The unsecure web app needs to act as a security proxy when it goes against the EJB server, That is, users need not log in, the web app itself needs to provide credentials.
I have read the Chapter 8 over and over for the last 2 days. I've tried a wide variety of Login Modules in various combinations.
I think the unsecured web app needs to have some security contraints in the web.xml, otherwise the web container won't have a Principal to pass to the EJB container and I will always see Authentication exception, principal=null Is this true or not?
Next, if I have security-constraints in the web.xml, I will also need to define BASIC authentication, which means a dialog will appear, which is also not what I want. I want the web container to use some pre-configured username (and password?) in all cases for this web app. SO is there some way to use a LoginModule to provide username and password in lieu of getting it from the user?
There is some discussion in the docs about the UsersRolesLoginModule, and having the unauthenticatedIdentity property set. But when I do this (setting it in the application-policy for the web server), the EJB server tries to authenticate against LDAP as I would expect and fails with Authentication exception, principal=null.
Then I was thinking, why do I need to authenticate against the EJB server at all, if I've already authenticated in the web server? Isn't the principal supposed to auto-magically get sent over as part of the EJBContext when I get the home interface or do the ejbCreate or something? And is there a difference in the way local and remote beans do this? Is the EJB server actually authenticating on each and every call? It can't be. It can't be.
I'm deep in the muck. I remember from my J2EE training that this is really easy to do, and I am just having a heck of a time trying to figure it out in JBoss 3.2.3.