my dog learned polymorphism
The moose likes EJB and other Java EE Technologies and the fly likes ServiceLocator with JAAS authentication ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "ServiceLocator with JAAS authentication ?" Watch "ServiceLocator with JAAS authentication ?" New topic

ServiceLocator with JAAS authentication ?

Jay Sam

Joined: Feb 27, 2005
Posts: 27

does JAAS authentication on the client somehow knock off the need for a ServiceLocator pattern?

1) I request reference to a stateful session ejb via ServiceLocator
2) ServiceLocator authenticates with user "anonymous" and creates that ejb and returns the reference to it, as well as my "subject" object.
3) I make some calls using Subject.Doas
4) at some point, I decide to switch identity, therefore re-authenticating to the server
5) I do method calls on the same ejb as before

Doubts about ServiceLocator pattern integration with JAAS:
a) in this scenario, ServiceLocator looks up the bean for me. Have I got to provide any URL for logging in also ? I guess I must somehow decide - just as with EJBs - where to find the server to authenticate to, am I right ? If yes, will I need to write servicelocator functionality for looking up the "URL" of the service/server to authenticate to ?
If I need no URL for logging in, then this doubt is of no importance
b) in step 4, I decide to switch identity by re-authenticating to the server. Well - same problem: ServiceLocator gave me the proper EJB reference. So I guess it should also know - and _only_ ServiceLocator should know - where to re-authenticate to.

The most important doubt:
c) to call methods on EJBs in this way, I have to use the Subject.doAs(subject, action) construct. This means that I will have to define one action object for each method which can be called on the stateful sessoin EJB by the client. For creating my stateful session EJB, then, I could create a "create" action right away, without the ServiceLocator needing to be involved. That "create" action would hand me back the reference to the EJB, and I could authenticate prior to doing that. In fact, only the "create" action needs to access ServiceLocator functionality with this design. So - is it still useful for anything ?

How would you combine ServiceLocator pattern with JAAS, in the case of the above scenario ?


Yuan Ye
Ranch Hand

Joined: Mar 05, 2003
Posts: 172
Hi. I wasn't totally understand your question. Just want to share you with some info when I implement Jaas and SeviceLocator Pattern.

First, since you want to switch Subject in SeviceLocation class. Then I think your security check should be one level below that, which is the EJB class in your case. You can assign roles in the EJB access, and change your role (Subject) before calling it. If both roles (subjects) are defined in the EJB access permission, you can use the same EJB reference in the ServiceLocator.

I agree. Here's the link:
subject: ServiceLocator with JAAS authentication ?
It's not a secret anymore!