users@glassfish.java.net

Re: Non-default security realm and ProgrammaticLogin in Glassfish?

From: <glassfish_at_javadesktop.org>
Date: Mon, 12 Nov 2007 15:29:16 PST

I am not exactly sure why you are seeing a problem, but as suggested by jmarine, if the realm (i.e., "permit") defined for use by the ejb, was not fully or properly configured, then I think you will see an error in the server log, and the default realm will be assigned to the app.

For an ejb, the realm against which username passwords will be checked, is defined in the ior-security-config in sun-ejb-jar.xml. In this way, the ejb is authoritative in establishing the realm against which the client must authenticate. Moreover, if you define a requirement for client authentication (in the ior-security-config) the dtd schema is defined such that you must also name the target realm. When the client side interceptor of the client ORB, obtains the inter-operable object reference (IOR) for the ejb, the IOR will contain the "target_name" which identifies the authentication realm to the client. The intent was that the client would provide the realm info as a cue to the user, if it prompts the user for a password.

programmaticLogin may be used by the client, to proactively establish the credentials that will be used to satisfy the server's authentication requirements, but the target realm cannot be established by the client. when the credentials arrive at the server, they are processed against the realm established by the server.

The same will occur if the user is prompted for credentials via a callback handler, that is, the realm against which the username and password are validated is established by the server, not the client.

CSIv2 defines a syntax for describing the security mechanisms supported by the server. The syntax allows a server to advertise support for multiple security mechanisms, which could be used to present a choice of acceptable authentication realms to the client. Glassfish does not provide support for the configuration of multiple authentication realms by an application or ejb. If it did, you might want to have a client that could allow its user to select and apply one of the alternative supported realms.
 
when accessing a remote ejb protected by csiv2/username password from a client container, the realm argument to ProgrammaticLogin is irrelevant.

Ron

ps: please do not call LoginContextDriver.doClientLogin() ...that is an internal interface. We provide the programmaticLogin class for this purpose.

ps: when called from a component in a server-side container, such as an ejb, ProgrammaticLogin behaves differently, in that it checks the username and password at the component container using the realm established for the programmatic login call, before it proceeds to use the creds on the wire.

ps: I am not sure what will happen if the realm you define via an ior-security-config, differs form the relm defined for an application in sun-application.xml.
[Message sent by forum member 'monzillo' (monzillo)]

http://forums.java.net/jive/thread.jspa?messageID=245128