a) I want several applications/services (java+non-java) to access the same user base. The service providing the user base also should provide authentication mechanisms. The ejb container should be able to access this structure. Ideally, a client calls the ejb, and is at the beginning associated with an "anonymous" user, until the client decides to authenticate. Is this possible ? What kind of architecture would you recommend ? What I definitely do NOT want is : use a web container for this, or servlet functionality. I do want to do authentication at EJB container level, or EJB level.
b) When the client decides to authenticate, how can I make the stateful session ejb be aware of the client�s new security identity ? I guess it must be stored in a context variable to do that. Also, the ejb - I guess - will have to make calls for this (programmatic). what do those calls look like ? How can I do that ?
c) Imagine I want to create a new user at runtime, and associate the client with the security context of that new user. How is all of this best done ?
My personal guess is: LDAP user base with authentication mechanism. EJB accesses that tree. EJB stores new sec identity in its own context variable, so it aquires the new sec identity (is this possible and allowed for an EJB ?). But all other questions still remain open for me.
I would recommend you to use implicit security rather than explicit security approach. All you have to do is to use J2EE declarative security and you�ll be almost done. The only thing that you need to take care of it�s about your remote clients (I suppose this is why you want the security implemented within the EJB container). The difference is that having your EJBs unprotected your RMI clients can use the usual lookup(home)->get the remote interface->call the business methods. Once you protected them all client�s call will fail, due to security reasons of course. The trick is to use JAAS in order to make the client calls. This way the clients will initializes the login context and finally will associate the Subject object with the current client thread. There are several classes that you need to provide as well and there are several other tricks that might give you little bit of a hard time at first (like using JNDI authentication, building login modules, using certificates, etc), but in the end you�ll see that it is definitely worth the trouble. In my entire experience I found the security projects the most exciting and challenging projects. Another big challenge is to integrate the container�s security domain with your database or your ldap. Weblogic for example provides a very flexible security architecture model, which allows you to define custom authentication or authorization providers. In a matter of minutes you can integrate your ldap within weblogic security domain, using the console application. For more information about the way your clients will get authenticated/authorized using JAAS you can read this document: http://e-docs.bea.com/wls/docs81/security/fat_client.html Regards.