ToddTobin wrote:
> We are developing a custom SSPI module for our weblogic servers, and i have a concern
> with remote logins for remote ejb calls.
>
> The documentation statest that the UsernamePasswordLoginModule is a good way to
> remotely log into a different BEA server so that ejb calls can be made from the
> Security.runAs context. However, i need to have more information passed than
> just the username password combination. e.g. applicationId that is making the
> call, in addition to the userid.
>
> The docs recommend creating your own login module, which is fine, but if i am
> correct the UsernamePasswordLoginModule uses the environment object and Authenticate.athenticate,
> to perform the login to my sspi. in that case the name is somehow translated
> into a NameCallback and (credential) Password to a PasswordCallback. If i want
> to add a different callback, "CallingAppCallback" where is that set in the environment
> object? In the properties? and if so, how is that then accessed by my LoginModule
> or AuthenticationProviderImpl?
>
> I just dont see how to extend the functionality of UsernamePasswordLoginModule,
> for remote-server logins?

Yes, this is a major limitation. I had a similar limitation when I
implemented a kerberos client. If you can't fit what you want into two
string fields, you are stuffed. BEA really need to open up the API for
client-side login modules. To be fair to BEA, JAAS is useless so they
weren't working with something that was designed for distributed systems
in the first place.

Anyway I worked around it by base 64 encoding my data (which was binary
obviously). I suggest you come up with some way of encoding the
application id in the username, e.g user@id or something along those lines.

If you do come up with a better solution I'd be very interested to know!

Robert