I noticed that once an EJB (tried Stateless and Stateful) requires
authentication (by specifying a valid <as-context> in
glassfish-ejb-jar.xml), Glassfish keeps calling the authenticateUser()
method of AppservPasswordLoginModule for every single call to one of the EJB
methods. Which doesn't seem correct to me. Since I couldn't find any
documentation whether this behaviour is correct or not my question is: is
this normal behaviour, a bug or am I just doing something in the worng way.
I'm calling the EJB method from a Java client through the remote interface
using jndi. I tested this behaviour by writing a custom login module (by
extending AppservPasswordLoginModule) and verified this behaviour by using
the FileLoginModule (to make sure I didn't make a mistake in my custom
implementation of AppservPasswordLoginModule).
I do understand that the authenticateUser() needs to be called once to
perform authentication, but didn't expect that authenticateUser() would be
called for every next request as well. The behaviour is expensive in terms of
performance (you might need to lookup your credentials in a database to
verify) and makes your security also sensitive to replay attacks (sending out
the exact same credentials over and over again over the wire makes things
easier for the man-in the middle waiting for a replay attack).
So my question is: is this normal behaviour? In other words; Doesn't
Glassfish create a client-server session in which it saves the logged-in
state of the client to avoid subsequent calls to authenticateUser() of
AppservPasswordLoginModule?
Thanks in advance for your help,
Jan Snelders
--
[Message sent by forum member 'snelders']
View Post: http://forums.java.net/node/820784