does JAAS authentication on the client somehow knock off the need for a ServiceLocator pattern
1) I request reference to a stateful session ejb
2) ServiceLocator authenticates with user "anonymous" and creates that ejb and returns the reference to it, as well as my "subject" object.
3) I make some calls using Subject.Doas
4) at some point, I decide to switch identity, therefore re-authenticating to the server
5) I do method calls on the same ejb as before
Doubts about ServiceLocator pattern integration with JAAS:
a) in this scenario, ServiceLocator looks up the bean for me. Have I got to provide any URL for logging in also ? I guess I must somehow decide - just as with EJBs - where to find the server to authenticate to, am I right ? If yes, will I need to write servicelocator functionality for looking up the "URL" of the service/server to authenticate to ?
If I need no URL for logging in, then this doubt is of no importance
b) in step 4, I decide to switch identity by re-authenticating to the server. Well - same problem: ServiceLocator gave me the proper EJB reference. So I guess it should also know - and _only_ ServiceLocator should know - where to re-authenticate to.
The most important doubt:
c) to call methods on EJBs in this way, I have to use the Subject.doAs(subject, action) construct. This means that I will have to define one action object for each method which can be called on the stateful sessoin EJB by the client. For creating my stateful session EJB, then, I could create a "create" action right away, without the ServiceLocator needing to be involved. That "create" action would hand me back the reference to the EJB, and I could authenticate prior to doing that. In fact, only the "create" action needs to access ServiceLocator functionality with this design. So - is it still useful for anything ?
How would you combine ServiceLocator pattern with JAAS, in the case of the above scenario ?