Is it possible to have multiple security domains in one EAR?
I have an application that consists of two major components:
1) The main application (user-facing frontend), with a custom LoginModule that auths against the hibernate store of members.
2) The customer support tool, which auths against our corporate LDAP store using the LDAPLoginModule.
My (perhaps naive) first pass designing this involves two security domains. The main application EJBs have one @SecurityDomain, the customer support EJBs have a different @SecurityDomain.
Obviously the customer support tool backend EJBs need to communicate with the main user application EJBs to manipulate user accounts, etc. What happens when the EJBs associated with one @SecurityDomain call into the EJBs of a different @SecurityDomain? I suspect bad things.
Is there a strategy for making this work?
Yes you can have more than one security-domain in an ear. However, you need to make sure that the roles that intersect the two security domains are defined in each. In other words, if EJB A in security domain A needs to communicate with EJB B in security domain B, then the run-as role defined for A must match that required by B. AFAIK!