Call secured EJB from "unsecured" web with custom credentials instead of "BASIC AUTH"ed credentials
posted 6 years ago
I'm trying to call a secured EJB (using the remote interface) from a servlet.
I dont want to secure the web site using BASIC_AUTH, FORM, CLIENT_CERT etc, because the web site has it's own "unique" user authentication process.
Instead, I want to present the "unique" login screen, and connect to the EJB using the details entered on the screen - instead of those that you'd normally get from BASIC_AUTH etc.
So, basically, there is no CERT, nor BASIC_AUTH etc etc.
I have written all kinds of login modules, and they have all been accessed correctly when i try to invoke an ejb method,
but none of them are able to return the username provided in the web site.
The web site (servlet) code:
No matter what type of LoginModule i use, there is never any principal, username, etc etc, passed in at initialize, and
nothing (except the domain) available in the options or sharedState.
I wrote my own Callback handler and successfully "logged in" to the EJB from the web page:
...but accessing the EJB remote interface thereafter prompts the LoginModule again, and no username or password are available.
(obviously my manual login is not associated with the remote interface returned by InitialContext )
It seems to me that the Context object (or the remote interface returned by it) is using security credentials from the
web server and ignoring my custom parameters.
How can i call a secured ejb from an "unsecured" web site?
posted 6 years ago
What you are trying to do is possible but highly vendor-specific in terms of hooking is a custom JAAS module. I would check with folks more familiar with your particular application server.
Hope it helps,
Independent Consultant — Author, EJB 3 in Action — Expert Group Member, Java EE 6 and EJB 3.1