0 Replies Latest reply on Feb 8, 2005 12:02 PM by rworsnop

    Token generation on login


      I would like to generate a token on successful password login, and then be able to use that token to access EJBs.

      I found this relatively straightforward to implement for a fat client: the client uses a LoginModule that generates a token, and then shares that token with ClientLoginModule, which ensures that it is sent with each subsequent EJB call. The EJBs are associated with a security domain whose LoginModule validates the token.

      I have a problem trying to do something similar with web applications. It seems that j_security_check/j_password will be passed as the credential to the EJBs. Because the EJBs' LoginModule is expecting a token, authentication fails.
      The password seems to be placed on the session during login, within a JBossGenericPrincipal. It gets picked up by the SecurityInterceptor on EJB calls and passed to the security manager for authentication.

      Is there a straightforward way to get JBoss to remember my token instead of the password?