Inside the web tier of our application, I want to put some web services using a custom login module. The rest of this application must be totally unaffected and continue to run as is.
I can configure oracle app server to use this custom login module for a given application, but once it does that our swing client fails to connect via RMI even though I've granted the user it connects as permissions to do so. Now this is something I can debug and look at, though I have to wonder if it isn't possible to make the login module mandatory for the web services code but optional for everything else. Is it?
WS are typically secured using the facilities of the WS-Security standard (which provides authentication, signing and encryption). What would JAAS add to that?
Joined: Nov 20, 2007
Originally posted by Ulf Dittmer: WS are typically secured using the facilities of the WS-Security standard (which provides authentication, signing and encryption). What would JAAS add to that?
I'm using UsernameToken from WS-Security, JAAS autenticates that username and password using our existing authentication code. The app server gets back a happy boolean and allows the web service to be executed. That web service gets the Subject and uses the stored credentials to authorise the execution of the transaction, auditing etc all happens as per normal, against the JAAS authenticated user. The client wants WS in this month, and we don't have the time or resources to fully utilize the WS standards. The existing authentication/authorization module goes back ages and does all sorts of custom stuff that will 1 or 2 ages to replace.
Joined: Nov 20, 2007
Now that I've written almost everything else but this I want to come back to it, hopefully someone's more helpful than google so far. Sure Google knows almost everything, you just have to know how to ask.
Looking at this article I see I need a policy and a conf file, I only have the conf file. Now I'm trying to define the config policy's contents.
Lets say my web services are in package com.javaranch.ws and the rest of my code in various com.javaranch packages, can I even require the custom login module for certain packages as opposed to applications?