Uploaded image for project: 'Geronimo'
  1. Geronimo
  2. GERONIMO-415

Improve on Subject.doAs for client invoking secure EJB



    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.0-M2
    • Fix Version/s: 1.0-M4
    • Component/s: application client, OpenEJB
    • Labels:


      It would be nice to provide a replacement or alternative means of invoking secure EJBs.

      1) Subject.doAs is kind of unwieldy if your EJB calls are scattered across your application (such as a Swing app with different EJB calls for every screen controller, separate save and load calls, etc.). Every one needs to be wrapped by a PrivilegedAction, and all Exceptions are reduced to type java.lang.Exception and so on. This is a particular problem for existing application that don't have that wrapping already, so there would be significant code changes required to use Geronimo EJBs (as things stand).

      2) Subject.doAs is, to quote a wise man, "sloooooooooooooooowwwww".

      It would be nice to have some authentication method that authenticated you on the server side and returned some token to indicate who you are (could be a Subject, could be some encrypted thingy, whatever). Then on the client side we could stuff your authentication token in a ThreadLocal or something, and let you just cheerfully call any EJBs without any particular wrapping. But in our EJB client stubs, we could fetch the token out of the ThreadLocal and pass it to the server, which could back out your proper Principals whenever you try to access a secure resource. This would be effectively invisible to the client, other than the initial login, which would be very advantageous.




            • Assignee:
              djencks David Jencks
              ammulder Aaron Mulder
            • Votes:
              0 Vote for this issue
              0 Start watching this issue


              • Created: