Skip to main content

when we use ejb module and application client container, who performs authentication?

5 replies [Last post]
Anonymous

hi,

Can you please let me know which parts of glassfish performs the
authentication when we access a ejb from an application client container?

thanks.
[att1.html]

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
monzillo
Offline
Joined: 2004-05-08
Points: 0

The appclient container collects the caller credentials (e.g. username and password) and uses them to pass
a caller identity and an corresponding authenticator (i.e.. a proof of identity) to the ejb application container. It is the ejb application container, that authenticates (i.e. verifies) the proof of identity received with the invocation. In caller propagation scenarios, an invoking container sends an assertion of caller identity without a corresponding authenticator, and the receiving container "authenticates" the invocation by determining whether the source of the request (i.e., the invoking container) is authorized to assert the propagated identity.

ksak
Offline
Joined: 2005-05-20
Points: 0

Hi Sarah,

The application client container performs the authentication. The caller principal is then passed as underlying context on Remote EJB invocations.

--ken

Sarah kho

Thank you for answering my question.

Can you please let me know whether it is a j2ee spec requirement that the
application client container do the authentication or it is the way
glassfish does it?

thanks.

On Thu, Mar 25, 2010 at 6:56 PM, wrote:

> Hi Sarah,
>
> The application client container performs the authentication. The caller
> principal is then passed as underlying context on Remote EJB invocations.
>
> --ken
> [Message sent by forum member 'ksak']
>
> http://forums.java.net/jive/thread.jspa?messageID=393725
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: users-help@glassfish.dev.java.net
>
>
[att1.html]

ksak
Offline
Joined: 2005-05-20
Points: 0

Yes, it's a Java EE platform requirement. It's one of the services that distinguishes an Application Client component from a plain Java SE (stand-alone) client. Many plain Java SE clients access Remote EJB components, but there is no portable programmatic authentication API so such clients either can't access protected Remote EJB components or they are forced to use a vendor-specific authentication API.

tjquinn
Offline
Joined: 2005-03-30
Points: 0

Adding a tiny bit to Ken's response:

From the Java EE 6 platform spec:

EE.3.3.4 Container Based Security
Security for components is provided by their containers in order to achieve the goals
for security specified above in a Java EE environment.

There might be other places in the spec that address this, but this is one.