does JAAS authentication on the client somehow knock off the need for a ServiceLocator pattern?
Scenario: 1) I request reference to a stateful session ejb via ServiceLocator 2) ServiceLocator authenticates with user "anonymous" and creates that ejb and returns the reference to it, as well as my "subject" object. 3) I make some calls using Subject.Doas 4) at some point, I decide to switch identity, therefore re-authenticating to the server 5) I do method calls on the same ejb as before
Doubts about ServiceLocator pattern integration with JAAS: a) in this scenario, ServiceLocator looks up the bean for me. Have I got to provide any URL for logging in also ? I guess I must somehow decide - just as with EJBs - where to find the server to authenticate to, am I right ? If yes, will I need to write servicelocator functionality for looking up the "URL" of the service/server to authenticate to ? If I need no URL for logging in, then this doubt is of no importance b) in step 4, I decide to switch identity by re-authenticating to the server. Well - same problem: ServiceLocator gave me the proper EJB reference. So I guess it should also know - and _only_ ServiceLocator should know - where to re-authenticate to.
The most important doubt: c) to call methods on EJBs in this way, I have to use the Subject.doAs(subject, action) construct. This means that I will have to define one action object for each method which can be called on the stateful sessoin EJB by the client. For creating my stateful session EJB, then, I could create a "create" action right away, without the ServiceLocator needing to be involved. That "create" action would hand me back the reference to the EJB, and I could authenticate prior to doing that. In fact, only the "create" action needs to access ServiceLocator functionality with this design. So - is it still useful for anything ?
How would you combine ServiceLocator pattern with JAAS, in the case of the above scenario ?
Hi. I wasn't totally understand your question. Just want to share you with some info when I implement Jaas and SeviceLocator Pattern.
First, since you want to switch Subject in SeviceLocation class. Then I think your security check should be one level below that, which is the EJB class in your case. You can assign roles in the EJB access, and change your role (Subject) before calling it. If both roles (subjects) are defined in the EJB access permission, you can use the same EJB reference in the ServiceLocator.