-
15. Re: EJB Server to Server Security
robby.cornelissen May 1, 2013 5:25 AM (in response to jaikiran)Thx Jaikiran. After a little stumble over https://issues.jboss.org/browse/WFLY-52 when deploying locally, I got it to work.
-
16. Re: EJB Server to Server Security
jaikiran May 1, 2013 7:22 AM (in response to robby.cornelissen)Good to know!
Robby Cornelissen wrote:
After a little stumble over https://issues.jboss.org/browse/WFLY-52 when deploying locally
Just so I know - was this a problem with the latest builds or was it to do with the version you were using, which perhaps didn't have that fix?
-
17. Re: EJB Server to Server Security
robby.cornelissen May 1, 2013 9:15 PM (in response to jaikiran)I'm using EAP 6.1.0.Alpha, which, as far as I can tell, does not have that fix.
-
18. Re: EJB Server to Server Security
jaikiran May 6, 2013 6:09 AM (in response to robby.cornelissen)Robby Cornelissen wrote:
I'm using EAP 6.1.0.Alpha, which, as far as I can tell, does not have that fix.
Yes, that's correct. That version doesn't have the fix for WFLY-52
-
19. Re: EJB Server to Server Security
rbattenfeld May 27, 2013 2:00 AM (in response to jaikiran)Hi jaikiran
I was looking into the ejb-security-interceptor quickstart example. My understanding is that this allows to switch the connection identity to other predefined identities, right? This could be a workaround but doesn't allow to propagate user principals.
I am also not sure if the
EJBClientInterceptor is
also usable for remote server connections?What is the general conclusion of this thread? I am little bit lost in the wildfly discussion:-)
Thanks in advance
Ralf
-
20. Re: EJB Server to Server Security
dlofthouse May 28, 2013 9:37 AM (in response to rbattenfeld)The quickstart demonstrates for a server to server invocation how the calling server can pass along the user name of the user to execute a request as on the server receiving the invocation. The server that receives the invocation then checks that the use of the calling server is actually allowed to request this switch and if so loads the groups for the user requested.
So the user does need to be defined on both servers and propagation is achieved by asking the second server to run the request as a specific user rather than serializing a Subject instance and passing that along.