Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

how does AppServer know the Principal in use?

1 view
Skip to first unread message

Matthew Hixson

unread,
Sep 20, 2001, 10:15:20 PM9/20/01
to
I have looked all over and have yet to see any examples or documentation
that talks about how AppServer acquires the Principal to use in
determining whether or not a bean's method should be invoked.
What I am wanting to do is have a user login to our servlet/JSP
engine (we are using Resin from www.caucho.com) and authenticate them
and then pass on their identity to AppServer so that it can authorize
access to bean methods based on the beans' XML deployment descriptors.
I am also investigating using JAAS so that we can make use of the PAM
architecture for authentication.
There are two ideas I am thinking about right now:

1) Implementing some kind of authentication mechanism using JAAS on the
client side. Once the user is authenticated their Principal object is
passed on to AppServer.
Problems with this are that I don't know how to hand the Principal
object to AppServer (what methods to call, do I need to lookup something
via JNDI?) and even if I did, what is to keep a rogue client from just
making up its own Principal object that lies about the user's identity?

2) Keep the JAAS implementation inside of AppServer implemented as a
stateless session bean.
The problem with this is that I still don't know how AppServer
decides upon the Principal to use.

There has got to be some kind of interface that allows me to tell it
what Principal owns the current Thread.

Could someone please point me to some documentation that I have
overlooked or some example code?
Thanks in advance,
-M@

0 new messages