On 10-Aug-2011, at 1:41 PM, forums_at_java.net wrote:
> Does Glassfish (3) support stateful security contexts? (If I'm correct only a
> stateless security context implementation is required by the J2EE specs).
As i stated earlier GF does not support reusable GIOP contexts. It implements Conformance Level 0 of the CSIv2 spec.
> If Glassfish does, how can this be enabled for Glassfish loginmodules. How
> for custom loginmodules?
If you want to achieve somekind of SSO for access to your EJB's you would have to front end the EJB with a WebApp. Have SSO enabled for the WebApp and then invoke the EJB from the WebApp.
So there are two scenarios possible :
1. The WebApp is colocated with the EJB and trust each other. So you could make the EJB unprotected by any Roles and simply invoke the EJB when when the required Roles are satisfied on the WebApp.
2. The EJB Tier is remote from the WebApp, then establish trust in the client (WebApp) by requiring mutual SSL. And then the required security role could either be satisfied at the WebApp or you could send an Identity token to the EJB from the WebApp, and then the EJB could decide whether the access is allowed.
>
>
> --
>
> [Message sent by forum member 'snelders']
>
> View Post: http://forums.java.net/node/820784
>
>