Missing something about authentication


EJB design: Missing something about authentication

  1. Missing something about authentication (1 messages)

    I'm interested in applications that have a "login" style. Users will have a username and password in a database. Once logged in, I want to use EJB ACLs to control what they have access to, etc.

    That is, I expect to use the isCallerInRole() method from my session and/or entity EJBs to control some behavior.

    As I understand it, I will collect the username and password from the user.

    I will create a new InitialContext() using these as the prinicap and credentials.

    I'm assuming that my app server's implemenation of JNDI will validate that these against a database (or other persistent store) and throw an exception if invalid.

    Assuming all is well, I can locate my EJBs via JNDI and invoke methods on them. I would assume that isCallerInRole() will refelect the role specified by the username.

    Okay, a few questions. I don't quite have a handle on how this might be implemented.

    First, after I establish my credentials, what happens to any EJBs I've already accessed (using default credentials). Which role do these reflect ... the default role when the InitialContext() used to retrieve them was created, or the new InitialContext() created with the username and password supplied by the user?

    Second, is there some kind of affinity between HttpSession and EJB role? On a subsequent request cycle, if I access beans that I stored from a previous request cycle, is my role maintained? What if I've passified my EJB reference to a Handle, then restored it? What if the subsequent request was handled by a different application server within a cluster?

    I guess I'm interested in how WebLogic 5.1 (or better) handles this, but I'm generally interested in knowing if application servers in general handle this important issue uniformly.


  2. Your user credentials are assosiated with the current thread after you do new InitialContext(env), if you use env parameter to specify security info.

    If you use WebApp security user credentials are kept in the HttpSession and thread-local security settings (user info) are set by the server before your servlet is invoked.