File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Glassfish and the fly likes Trust between containers Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Glassfish
Bookmark "Trust between containers" Watch "Trust between containers" New topic

Trust between containers

Alex Turbado

Joined: Dec 24, 2012
Posts: 14
Hi all!

I'm developing a web application with a Glassfish server, where a Servlet uses some EJBs. When reading in the JEE tutorial how the Servlet caller's authenticated identity propagates to the EJB container, you see things like:

There is no way for the target container to authenticate the propagated security identity [...] the target must trust that the calling container has propagated an authenticated security identity. By default, the GlassFish Server is configured to trust identities that are propagated from different containers. Therefore, you do not need to take any special steps to set up a trust relationship.

I feel fine with this in my case, given that the servlet will propagate the identity of the caller to the EJB and so I don't have to do anything special for securing the EJB methods, only specify the roles allowed and that's all, but I wonder what happens when containers are different, for example 2 Glassfish servers on different physical servers, in particular:

- "The GF Server is configured to trust identities that are propagated from different containers" ??? How is it? Isn't it a security hole? Does it mean if a container receives a call to an EJB method with a Principal "John" and role "Admin" from any container it'll trust it??

- How do you configure GF Server to trust/don't trust another container(s)?

I agree. Here's the link:
subject: Trust between containers
It's not a secret anymore!