1 Reply Latest reply on Oct 24, 2008 11:32 AM by liam bates

    ClientLoginModule & ServerInvokerServlet

    liam bates Newbie

      I have a set-up where an external Client (swing based) is using the ClientLoginModule to pass it's user credentials to an EJB3 Stateless service for execution. The service is annotated (@SecurityDomain) and the method calls are annotated with @RolesAllowed. The security Domain is configured in the JBoss 4.2.2 login-config.xml.

      All is working fine when using a socket connection (clientBindUrl = "socket://") , However, the client also needs to be able to communicate over HTTP (clientBindUrl = "http://localhost:8080/invoker/ServerInvokerServlet"). When using the HTTP jndi bound service the Principal/Subject are null on the receiving the HTTP call within the RoleBasedAuthorizationInterceptor.

      I've configured the jboss-web.xml within the invoker.war\WEB-INF, but I believe this will only work with BASIC or FORM auth. I already have authentication (albiet, dummy) on the Fat Client (swing) using the ClientLoginModule - how do I config the ServerInvokerServlet to use these credentials as with the socket connection (RMI).

      I've seen plenty of examples of how to secure WebApps + examples of how to use the ClientLoginModule. But can't find any good documentation on how to use the ClientLoginModule when calling EJB3 over HTTP (or HTTPS).

      Any help/pointers would be much appreciated.