OK. A few things.
1. Much of my earlier description of what happens in the code was incorrect. In fact the security layer detects if it is running on the client or the server and does the realm validation only on the server.
2. Ron described having a small example working that uses an EJB in an app that used a custom realm that also uses programmatic login on the client. So this should work, for reasons I'll summarize below.
3. If the custom realm is not configured quite correctly, there might be cases that when authentication is attempted on an EJB configured with that custom realm that it falls back to use the default realm.
I'll try to summarize what's happening briefly. As Ron described in his post, the IOR returned from the server to the client for the remote EJB contains the realm name with which the EJB is configured. With either programmatic login or reactive login (using the callback handler), the username and password are sent in the message to the server, along with the realm name [b]from the IOR[/b]. Any realm name specified in programmatic login is ignored. The server-side code will attempt to authenticate the username and password provided by the client in the realm configured for that EJB.
So for all of this to work, the application and/or the EJBs need to be configured for the custom realm, the custom realm needs to be set up correctly, and the username and password from the client need to be valid in that realm.
r_sudh, if you can please attach your descriptors to this thread someone can take a look at them.
- Tim
[Message sent by forum member 'tjquinn' (tjquinn)]
http://forums.java.net/jive/thread.jspa?messageID=245262