Re: [JBoss-dev] Re: Question about SecurityAssociation

[Scott M S. <sco...@at...>]

The SecurityAssociation is the mechanism by which foreign security contexts like web
containers propagate the current caller security context into the JBoss layers. The callout
to the realm is a tomcat specific thing performed when the web container needs to
validate access to secured content. As far as I know a realm cannot be used to propagate
a session across secured contexts and this is why the single sigon on behavior is
implemented as a valve. You still have to establish the callers security context via the
SecurityAssociation in order to have the web application security context propagate
to other JBoss components.

xxxxxxxxxxxxxxxxxxxxxxxx
Scott Stark
Chief Technology Officer
JBoss Group, LLC
xxxxxxxxxxxxxxxxxxxxxxxx

----- Original Message ----- 
From: <Phi...@en...>
To: <jbo...@li...>
Sent: Wednesday, March 12, 2003 4:38 AM
Subject: [JBoss-dev] Re: Question about SecurityAssociation


> Hi Scott,
> 
> I am deeply grateful about your fast support and I am confidently, that our
> project ( new internet-portal of "Gruppe Deutsche-Boerse"
> http://deutsche-boerse.com) becomes
> a full success, not least by the use of JBoss.
> 
> Well, I guess that I don't understand the background of the JBossSX yet. The
> piece of code I wrote in my last mail was a part of the class
> "org.jboss.web.catalina.EmbeddedCatalinaService41",
> so it's the same away as in the CatalinaService, if this is configured with a
> Security-Realm and accomplishes a "form-based" or "basic" authentication. Or do
> I err ?
> If I am right, you mean that using "SecurityAssociation.set..." only associates
> a Subject or Principal with the current Thread ? Do I have to implement a custom
> cache/pool to push a logged in user with his current http-session in a
> "security-context" to avoid re-authentication, when asking for a secured service
> (i.e. ejb),  or does JBoss provides such functionalities ?
> 
> thanks a lot
> Philipp