Originally posted by kapil Gupta:
I have some knowledge of JAAS but dont have any idea abt how to propagate security context from RMI client to server on each api call. I searched on the net but couldn't find any example where JAAS is used for RMI clients in a standalone application (Without application server).
Thanks,
Kapil
It looks like the client is a "machine" impersonating somebody else
If it is a machine, the generic "standardized" mechanism that works across all the three technologies that you mention is certificate based authentication. (Kerberos tokens also work across all three)
Irrespective of any mechanism for authentication, JAAS can be used on the server as indicated by Ulf.
But if you are deploying the "server" app in a app server, then dont expect JAAS to be very compatible... Until now JAAS is a J2SE mechanism and Until JSR 196 gets thru, JAAS support within app server is going to be flaky...
Also remember that the app server itself is a J2SE application and probably using JAAS or propretiary mechansims to attach a "Subject" to the running
thread, just like JAAS does - and the two have conflicts.
Oh and by the way....
You threw me off track with that "security context propagation" thing there.
If it is a machine does that mean your RMI client is already authenticated to somebody else and is now trying to use your server?
Is your "RMI client" really EJBs in another app server?
If that is the case, then the "security context propagation" is standardized thru CSIv2 specification - orginally thru OMG and is mandatory from
J2EE 1.3 app servers implementing EJBs.
However CSIv2 is not supported in MS and .NET world.
In other words, you have bunch of choices :-)
[ August 22, 2006: Message edited by: Srikanth Shenoy ]