This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Glassfish and the fly likes Trust between containers Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Products » Glassfish
Bookmark "Trust between containers" Watch "Trust between containers" New topic
Author

Trust between containers

Alex Turbado
Greenhorn

Joined: Dec 24, 2012
Posts: 14
Hi all!

I'm developing a web application with a Glassfish server, where a Servlet uses some EJBs. When reading in the JEE tutorial how the Servlet caller's authenticated identity propagates to the EJB container, you see things like:

There is no way for the target container to authenticate the propagated security identity [...] the target must trust that the calling container has propagated an authenticated security identity. By default, the GlassFish Server is configured to trust identities that are propagated from different containers. Therefore, you do not need to take any special steps to set up a trust relationship.

I feel fine with this in my case, given that the servlet will propagate the identity of the caller to the EJB and so I don't have to do anything special for securing the EJB methods, only specify the roles allowed and that's all, but I wonder what happens when containers are different, for example 2 Glassfish servers on different physical servers, in particular:

- "The GF Server is configured to trust identities that are propagated from different containers" ??? How is it? Isn't it a security hole? Does it mean if a container receives a call to an EJB method with a Principal "John" and role "Admin" from any container it'll trust it??

- How do you configure GF Server to trust/don't trust another container(s)?

 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Trust between containers
 
Similar Threads
Call secured Remote EJB from WebClient
Principals??
Identity propagation from web-tier to ejb-tier
Identity propagation from web-tier to ejb-tier
Should Swing application connect to Web application or directly to EJB tier?