> i see, but if ssl is enabled, then the performance
> penalty will be great, but if not, this will be a big
> security loophole, is there any work around??
you might try another access path to your ejb.
eg. you could deploy it as a web service, and configure the authentication to be based on ws-security, in which case, the password will be sent in a SOAP message header, and the endpoint can be configured to require encryption of the password in header.
You "may" find that this performs better that using IIOP and SSL.
>
> besides, how do glassfish inform appclient when user
> input incorrect password (will it use callback
> handler again?)
yes
>
> will it be possible a user to logout the appclient,
> without restarting the appclient and allow another
> user to login?
yes, the appclient would need to make a call to ProgrammaticLogin.logout()
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=268812