I have a set-up where an external Client (swing based) is using the ClientLoginModule to pass it's user credentials to an EJB3 Stateless service for execution. The service is annotated (@SecurityDomain) and the method calls are annotated with @RolesAllowed. The security Domain is configured in the JBoss 4.2.2 login-config.xml.
All is working fine when using a socket connection (clientBindUrl = "socket://0.0.0.0:3873") , However, the client also needs to be able to communicate over HTTP (clientBindUrl = "http://localhost:8080/invoker/ServerInvokerServlet"). When using the HTTP jndi bound service the Principal/Subject are null on the receiving the HTTP call within the RoleBasedAuthorizationInterceptor.
I've configured the jboss-web.xml within the invoker.war\WEB-INF, but I believe this will only work with BASIC or FORM auth. I already have authentication (albiet, dummy) on the Fat Client (swing) using the ClientLoginModule - how do I config the ServerInvokerServlet to use these credentials as with the socket connection (RMI).
I've seen plenty of examples of how to secure WebApps + examples of how to use the ClientLoginModule. But can't find any good documentation on how to use the ClientLoginModule when calling EJB3 over HTTP (or HTTPS).
Any help/pointers would be much appreciated.
Ok, the lack of response forced me to investigate the issue myself - something I was hoping to avoid.
Turns out I had a few teething config errors. All is now working as expected.
Thanks to everyone that didn't respond, forcing me to stop being lazy!