Hi, I am very new to weblogic security (security in general). I have a question about how weblogic ties authentication/authorization. One thing weblogic lacks is that they do not provide a clear understanding of how thing tie into everything else. Let's say that I have a servlet that connects to a session bean and that session bean has some methods I want to block (some will have to be blocked programmatically). I know that I can specify this in the deployment descriptor and be fine with it. Now the question I could not get answered in the weblogic docs is when I try to connect and execute one of these methods from a java client how does weblogic know who I am and what role I have? I am assuming that I have to use JAAS; once I authenticate myself to a protected resource in weblogic server using JAAS does the server maintain my identity? ================== A flow that I want to follow is I want to prompt the user for username and password -> that goes to weblogic via JAAS and then the user get's authenticated in a RDBMS realm -> the user can do some stuff and can't other I will protect the ejb's methods (only have one ejb) in the deployment descriptor and some programmatically. ================== Also I want to create a new RDBMS realm that connects to oracle dBase; I have allready done so, but don't know what fields should I have in the table and what goes in the Schema properties of weblogic(what are they for and what do they do). I also don't understand that if I can specify what role is allowed to access the ejb method in the deployment descriptor, why must I have an ACL associated with it? I would really appreciate your help and if you can please provide me with some resorces that are clear in explanation I would appreciate that as well. Thank you very much, Jay.
We don't have time to be charming! Quick, read this tiny ad: