• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
  • Mikalai Zaikin

Call secured EJB from "unsecured" web with custom credentials instead of "BASIC AUTH"ed credentials

Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm trying to call a secured EJB (using the remote interface) from a servlet.
I dont want to secure the web site using BASIC_AUTH, FORM, CLIENT_CERT etc, because the web site has it's own "unique" user authentication process.
Instead, I want to present the "unique" login screen, and connect to the EJB using the details entered on the screen - instead of those that you'd normally get from BASIC_AUTH etc.
So, basically, there is no CERT, nor BASIC_AUTH etc etc.

I have written all kinds of login modules, and they have all been accessed correctly when i try to invoke an ejb method,
but none of them are able to return the username provided in the web site.

The web site (servlet) code:

No matter what type of LoginModule i use, there is never any principal, username, etc etc, passed in at initialize, and
nothing (except the domain) available in the options or sharedState.

I wrote my own Callback handler and successfully "logged in" to the EJB from the web page:

...but accessing the EJB remote interface thereafter prompts the LoginModule again, and no username or password are available.
(obviously my manual login is not associated with the remote interface returned by InitialContext )

It seems to me that the Context object (or the remote interface returned by it) is using security credentials from the
web server and ignoring my custom parameters.

How can i call a secured ejb from an "unsecured" web site?

Posts: 580
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

What you are trying to do is possible but highly vendor-specific in terms of hooking is a custom JAAS module. I would check with folks more familiar with your particular application server.

Hope it helps,
Don't get me started about those stupid light bulbs.
    Bookmark Topic Watch Topic
  • New Topic