0 Replies Latest reply on Apr 15, 2008 8:25 AM by Tim Tim

    Security with Web Services

    Tim Tim Newbie

      Hi everybody,

      I have implemented some web services residing in a war file deployed on my Tomcat. The web services module is a client to some EJBs deployed on my JBoss. I need to log the user in my realm on each WS request and log the user out before the WS response.

      I have implemented security on web applications with JBoss and used JAAS realms succesfully but what do I do in this case with Web Services? I mean the requests are stateless. If I use the org.jboss.security.ClientLoginModule
      won't this override the credentials of another user who is already logged in the realm?

      I have also implemented a standalone application which spawns a thread for each user request and I am wondering about the same thing. This application is a service listening for some kind of messages; on a message the application should log the user in the realm before calling an EJB and log the user after the request is completed. So it's more or less the same situation as above.

      Is this possible? I mean logging many users in the same realm in one non-web application?

      Any ideas?

      Thank you in advance!!!