aspose file tools*
The moose likes EJB and other Java EE Technologies and the fly likes Call secured EJB from Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "Call secured EJB from "unsecured" web with custom credentials instead of "BASIC AUTH"ed credentials" Watch "Call secured EJB from "unsecured" web with custom credentials instead of "BASIC AUTH"ed credentials" New topic
Author

Call secured EJB from "unsecured" web with custom credentials instead of "BASIC AUTH"ed credentials

David Campbell
Greenhorn

Joined: Mar 06, 2009
Posts: 1
I'm trying to call a secured EJB (using the remote interface) from a servlet.
I dont want to secure the web site using BASIC_AUTH, FORM, CLIENT_CERT etc, because the web site has it's own "unique" user authentication process.
Instead, I want to present the "unique" login screen, and connect to the EJB using the details entered on the screen - instead of those that you'd normally get from BASIC_AUTH etc.
So, basically, there is no CERT, nor BASIC_AUTH etc etc.

I have written all kinds of login modules, and they have all been accessed correctly when i try to invoke an ejb method,
but none of them are able to return the username provided in the web site.

The web site (servlet) code:



No matter what type of LoginModule i use, there is never any principal, username, etc etc, passed in at initialize, and
nothing (except the domain) available in the options or sharedState.

I wrote my own Callback handler and successfully "logged in" to the EJB from the web page:



...but accessing the EJB remote interface thereafter prompts the LoginModule again, and no username or password are available.
(obviously my manual login is not associated with the remote interface returned by InitialContext )

It seems to me that the Context object (or the remote interface returned by it) is using security credentials from the
web server and ignoring my custom parameters.

How can i call a secured ejb from an "unsecured" web site?


Reza Rahman
author
Ranch Hand

Joined: Feb 01, 2005
Posts: 580
    
    5
David,

What you are trying to do is possible but highly vendor-specific in terms of hooking is a custom JAAS module. I would check with folks more familiar with your particular application server.

Hope it helps,
Reza


Independent Consultant — Author, EJB 3 in Action — Expert Group Member, Java EE 6 and EJB 3.1
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Call secured EJB from "unsecured" web with custom credentials instead of "BASIC AUTH"ed credentials