This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
I'm trying to call a secured EJB (using the remote interface) from a servlet.
I dont want to secure the web site using BASIC_AUTH, FORM, CLIENT_CERT etc, because the web site has it's own "unique" user authentication process.
Instead, I want to present the "unique" login screen, and connect to the EJB using the details entered on the screen - instead of those that you'd normally get from BASIC_AUTH etc.
So, basically, there is no CERT, nor BASIC_AUTH etc etc.
I have written all kinds of login modules, and they have all been accessed correctly when i try to invoke an ejb method,
but none of them are able to return the username provided in the web site.
The web site (servlet) code:
No matter what type of LoginModule i use, there is never any principal, username, etc etc, passed in at initialize, and
nothing (except the domain) available in the options or sharedState.
I wrote my own Callback handler and successfully "logged in" to the EJB from the web page:
...but accessing the EJB remote interface thereafter prompts the LoginModule again, and no username or password are available.
(obviously my manual login is not associated with the remote interface returned by InitialContext )
It seems to me that the Context object (or the remote interface returned by it) is using security credentials from the
web server and ignoring my custom parameters.
How can i call a secured ejb from an "unsecured" web site?