6 Replies Latest reply on May 18, 2005 11:56 AM by Thomas Cherel

    JAAS in servlet calling EJBs

    Thomas Cherel Novice


      I have spent quite some time on JAAS in a pure EJB environment (remote EJB client calling server side EJBs) and I believe that I undersand how this is working.

      I was now wondering how this is working when the client application is a web application going through a servlet that then accesses the backend EJBs.

      I saw quite a few forum post on the subject, but none of them gave me the overall picture on how this is working.

      I guess the first "basic" question is how the security context (security association) is associated to an HTTP request before backend's EJBs are invoked.
      I can imagine a "few" solutions:

      1) The first approach would be to go through JAAS authentication (ClientLoginModule) at each HTTP request. This seems a little "brutal" especially if the "client" JAAS configuration contains other JAAS login modules that might perform real authentication work.

      2) There is this multi-threaded option of the ClientLoginModule that will store the security association at the thread level. But this will assume that all HTTP request from a given client are handled by the same thread, which I am not sure is guaranteed.

      3) Using the HTTP session to cache the association and restore it at each
      new HTTP request for the same HTTP session.

      4) Any other solutions I did not think of.....

      Any hints on how JBoss does it (from a general architecture point of view)?

      Thanks.