after a few days of researech about single sign-on with jboss i have a possible solution for our requirement.
But first the outlined szenario:
We have a rich client (Eclipse RCP) which is running in an windows os. windows is working in a domain (windows 2003 server), also the domain login occur against the win server. The rich client have acces to ejb3 components which runs in JBoss AS.
Next the outlined requirement:
We need a single sign-on, which meens, that the client authentication against the ejb's works with the client side authentication infos. The ejb's should be secured with a security domain and the method acces should be role based (currently its implemented).
do anybody know wheter the following could be a possible solution? if not do anybody have other ideas how it maybe work?
One possible solution (with many questions :) with Kerberos and ActiveDirectiry)?!:
I use the com.sun.security.auth.module.Krb5LoginModule for the server side login module. The CallbackHandler on client side fills it with the correct TGT (But how? Again with the com.sun.security.auth.module.Krb5LoginModule?). Now JBoss knows the TGT and authenticate against the ADS and maybe it returns the roles fom the user. Know i can acces the secured ejb's.
Is this a possible way...or have i a significant error in reasoning? Or any other possible ideas?