Using JAAS credentials in EJBs

Similar Messages

• Client remote Authentication using JAAS and EJB Access

  Hi,
  I have a problem using JAAS in combination with Sun One Appserver 8.1 and a java remote client trying to access an EJB. Here is the scenario:
  I have implemented an EJB who's methods are protected through the deployment descriptor:
          <assembly-descriptor>
               <security-role>
                  <description>role for clients outside of the server </description>
                  <role-name>sedna</role-name>
                </security-role>
              <method-permission>
                <role-name>sedna</role-name>
                <method>
                  <ejb-name>ServerInfoBean</ejb-name>
                  <method-intf>Remote</method-intf>
                  <method-name>*</method-name>
                </method>
              </method-permission>
              <method-permission>
                <unchecked/>
                <method>
                  <ejb-name>ServerInfoBean</ejb-name>
                  <method-name>getVersion</method-name>
                </method>
                <method>
                  <ejb-name>ServerInfoBean</ejb-name>
                  <method-name>create</method-name>
                </method>
              </method-permission>
          </assembly-descriptor>I've deployed the EJB in a jar file which was packed into an ear file of a bigger application. The role has been mapped to the admin Principal in the sun-ejb-jar.xml descriptor.
  I can find the EJB, create it, and call the unchecked method getVersion and that works fine, so far so good.
  But then I try to access another method which is protected and then I get this exception
  org.omg.CORBA.NO_PERMISSION:   vmcid: 0x2000  minor code: 1806 completed: Maybe
          at com.sun.enterprise.iiop.POAProtocolMgr.mapException(POAProtocolMgr.java:179)
          at com.sun.ejb.containers.BaseContainer.postInvoke(BaseContainer.java:853)
          at com.sun.ejb.containers.EJBObjectInvocationHandler.invoke(EJBObjectInvocationHandler.java:137)
  ...I have to mention that I do make a login via the LoginContext. My jaas.config File has a reference to the com.sun.enterprise.security.auth.login.ClientPasswordLoginModule module.
  After login (which works perfectly) I lookup the context with a corbaname url which - if I understood it right - ignores the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS settings.
  After that I make the calls to the EJB. And I am allways ANONYMOUS on the server side, which is definitely the problem. Because ANONYMOUS is not allowed to call the protected EJB Methods. But I made a jaas login in advance. So where am I making a mistake???
  Am I doing something wrong?
  Need help! Thx,
  Stephan

  Hi.
  I understand correctly that you call Subject.doAs on
  the client to call the remote EJB. I guess It isn't
  right way.I had also a bad feeling about this, so I forget it. But anyway it wasn't working with or without using that doAs().
  >
  >
  Subject contextSubject =
  Subject.getSubject(AccessController.getContext());
  contextSubject.getPrincipals();This code throws exceptions in the Appserver. Unfortunately they are catched somewhere so I'm unable to find out what was going wrong. But I guess, that these exceptions where security exceptions. Never the less thanks for the hint!
  But I don't think that doing the check on the server side is the way I want to go because that is programmatically security and I want to use the declarative security which can be used through the deployment descriptor. If used correctly - and supposed I do not completely misunderstand the specification - then it should be possible to create an EJB that is protected via it's deployment descriptor and access it through the client only if the client has been authenticated through JAAS mechanisms. After successful authentication the principal should be accessible through the EJB context but not for security check, that should allready been done at this time.
  Unfortunately I don't find any resource on the internet describing the scenario in such a detail that I can reproduce it. There are only very high level documentations and hints in forums.
  Again, thanks for your effort,
  Stephan

• Has anyone used JAAS with WebLogic?

  Has anyone used JAAS with Weblogic? I was looking at their example, and I have a bunch of questions about it. Here goes:
  Basically the problem is this: the plug-in LoginModule model of JAAS used in WebLogic (with EJB Servers) seems to allow clients to falsely authenticate.
  Let me give you a little background on what brought me to this. You can find the WebLogic JAAS example (to which I refer below) in the pdf: http://e-docs.bea.com/wls/docs61/pdf/security.pdf . (I believe you want pages 64-74) WebLogic, I believe goes about this all wrong. They allow the client to use their own LoginModules, as well as CallBackHandlers. This is dangerous, as it allows them to get a reference (in the module) to the LoginContext's Subject and authenticate themselves (i.e. associate a Principal with the subject). As we know from JAAS, the way AccessController checks permissions is by looking at the Principal in the Subject and seeing if that Principal is granted the permission in the "policy" file (or by checking with the Policy class). What it does NOT do, is see if that Subject
  has the right to hold that Principal. Rather, it assumes the Subject is authenticated.
  So a user who is allowed to use their own Module (as WebLogic's example shows) could do something like:
  //THEIR LOGIN MODULE (SOME CODE CUT-OUT FOR BREVITY)
  public class BasicModule implements LoginModule
  private NameCallback strName;
  private PasswordCallback strPass;
  private CallbackHandler myCB;
  private Subject subj;
           //INITIALIZE THIS MODULE
             public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options)
                    try
                         //SET SUBJECT
                           subj = subject;  //NOTE: THIS GIVES YOU REFERENCE
  TO LOGIN CONTEXT'S SUBJECT
                                                   // AND ALLOWS YOU TO PASS
  IT BACK TO THE LOGIN CONTEXT
                         //SET CALLBACKHANDLERS
                           strName = new NameCallback("Your Name: ");
                           strPass = new PasswordCallback("Password:", false);
                           Callback[] cb = { strName, strPass };
                         //HANDLE THE CALLBACKS
                           callbackHandler.handle(cb);
                    } catch (Exception e) { System.out.println(e); }
       //LOG THE USER IN
         public boolean login() throws LoginException
            //TEST TO SEE IF SUBJECT HOLDS ANYTHING YET
            System.out.println( "PRIOR TO AUTHENTICATION, SUBJECT HOLDS: " +
  subj.getPrincipals().size() + " Principals");
            //SUBJECT AUTHENTICATED - BECAUSE SUBJECT NOW HOLDS THE PRINCIPAL
             MyPrincipal m = new MyPrincipal("Admin");
             subj.getPrincipals().add(m);
             return true;
           public boolean commit() throws LoginException
                 return true;
      }(Sorry for all that code)
  I tested the above code, and it fully associates the Subject (and its principal) with the LoginContext. So my question is, where in the process (and code) can we put the LoginContext and Modules so that a client cannot
  do this? With the above example, there is no Security. (a call to: myLoginContext.getSubject().doAs(...) will work)
  I think the key here is to understand JAAS's plug-in security model to mean:
  (Below are my words)
  The point of JAAS is to allow an application to use different ways of authenticating without changing the application's code, but NOT to allow the user to authenticate however they want.
  In WebLogic's example, they unfortunately seem to have used the latter understanding, i.e. "allow the user to authenticate however they want."
  That, as I think I've shown, is not security. So how do we solve this? We need to put JAAS on the server side (with no direct JAAS client-side), and that includes the LoginModules as well as LoginContext. So for an EJB Server this means that the same internal permission
  checking code can be used regardless of whether a client connects through
  RMI/RMI-IIOP/JEREMIE (etc). It does NOT mean that the client gets to choose
  how they authenticate (except by choosing YOUR set ways).
  Before we even deal with a serialized subject, we need to see how JAAS can
  even be used on the back-end of an RMI (RMI-IIOP/JEREMIE) application.
  I think what needs to be done, is the client needs to have the stubs for our
  LoginModule, LoginContext, CallBackHandler, CallBacks. Then they can put
  their info into those, and everything is handled server-side. So they may
  not even need to send a Subject across anyways (but they may want to as
  well).
  Please let me know if anyone sees this problem too, or if I am just completely
  off track with this one. I think figuring out how to do JAAS as though
  everything were local, and then putting RMI (or whatever) on top is the
  first thing to tackle.

  Send this to:
  newsgroups.bea.com / security-group.

• Using JAAS with Weblogic 10.3

  Hi all,
  we're porting our application from oc4j r2 to weblogic 10.3 and the last piece of the puzzle seems to be jaas. There's a small problem in that we use our own security model, so we need jaas only to be able to use getCallerPrincipal() from an EJB. So we don't really want to perform authentication, only to save the principal.
  We tried adding our own login module and callback handler and called weblogic.security.services.Authentication.login to get a subject and then weblogic.servlet.security.ServletAuthentication.runAs to save the user. From what I saw the server tries to use the embedded LDAP, so I started looking into security realms. It seems I need to create a dummy authentication provider? Is there an easier way for the dummy login?
  Thanks

  I'm not sure about Authentication Provider. I'll look into it. On the other hand I wrote 3 simple classes, one simple principal, one login module and one simple callback handler.
  Even though I get no exception and finally I call loginContext.login(). But still getCallerPrincipal() from the ejb context returns weblogic's admin.
  In my LoginModule's commit method, I have this:
      public boolean commit() throws LoginException {
          if (succeeded == false) {
              return false;
          } else {
              // add a Principal (authenticated identity)
              // to the Subject
              // assume the user we authenticated is the SamplePrincipal
              userPrincipal = new DummyPrincipal(username);
              if (!subject.getPrincipals().contains(userPrincipal)) {
                  subject.getPrincipals().add(userPrincipal);
              log.debug("Added principal " + username + " to the subject");
              if (debug) {
                  log.debug("Login Module Principals:");
                  for (Iterator i = subject.getPrincipals().iterator(); i.hasNext();) {
                      log.debug("Principal: " + ((Principal)i.next()).getName());
              // in any case, clean out state
              username = null;
              password = "";
              password = null;
              commitSucceeded = true;
              return true;
      }which is essentially taken from Sun's tutorial. It just seems that weblogic does not take into consideration the login I perform through jaas. Do I need to call runAs, doPrivilegedAction, each time an http request is made?

• Using JAAS in a BC4J Client

  Hello
  We are building a BC4J application.
  We would like to use JAAS on the client side (Swing Client), to do some authorization.
  I made a test, authentication a user trough JAAS on the client as follow:
  // Auhorization
  CallbackHandler handler = new InfoCallbackHandler();
  String s = "oracle.security.jazn.tools.Admintool";
  LoginContext loginContext = new LoginContext(s, handler);
  loginContext.login();
  Subject subject = loginContext.getSubject();
  // authenticated action
  Subject.doAs(subject, this);
  This works, as long as the client has access to the jazn.xml file.
  As far as I understand, this loads the RealmLoginModule.
  The RealmLoginModule uses either a jazn.xml file, or LDAP for authentication.
  Now I'm curios about where the RealmLoginModule gets its information from, when the client is running on an other machine than the OC4J Server.
  Where does the RealmLoginModule get the connection information for the OC4J or LDAP- server from?
  Do I have to deliver the security information (jazn.xml file) to the client (I dont want to expose all this information to the Hackers on the client side)?
  Is there a way to delegate the JAAS calls to the middle tier (a security provider , LoginModule, that does RMI-calls to an EJB-component)?
  Is there a way to do authorization with the BC4J interfaces on the client (something like boolean ApplikacitonModule.isUserInRole(Role) or javax.security.auth.Subject ApplikacitonModule.getSubject() or java.util.Set ApplikacitonModule.getPrincipalsForSubject())?
  I would like to get a javax.security.auth.Subject representing the user (and password)
  that is authenticated in the middle tier. This is the Subject (defined by username & password)),
  used for the JNDI lookup, and by the whole J2EE (EJB) security, when creating a root ApplicationModule.
  Is this possible?
  Regards
  Matthais Gerber

  Hi,
  In JDeveloper 9.0.3, BC4J has JAAS support in the middle-tier. You could set jbo.security.enforce to "Test" or "Must" on the application module using "Configuration...", "Edit" in JDev. If you are using the default Oracle 9iAS JAAS you will also need to include BC4J Security library in the project. The jdk\jre\lib\securtiy\java.security should have login.configuration.provider=oracle.security.jazn.spi.LoginConfigProvider.
  You do not need to create LoginContext, CallbackHandler, etc. in either your client app or business objects.
  If you are not using OC4J, you need to have another loginmodule that implement javax.security.auth.spi.LoginModule. You need to set the jbo.security.loginmodule with you loginmodule name, include the class or jar in your library, specify the jaas config file on the java runtime option.
  Please refer to 9.0.3 online help "Working with Security in BC4J" for more information.
  Thanks,
  Yvonn

• Automatic login using JAAS...

  I've got a web application that uses a secured resource to restrict access to a set of pages. Using FORM based authentication this all works fine - the web container uses a custom LoginModule and request.getUserPrincipal returns the correct user.
  However, if I attempt to do a programmatic login (eg, in a Servlet) using something like this:
  new LoginContext("Users", new UsernamePasswordHandler(username, password.toCharArray()).login();it all goes wrong. No LoginException is thrown, the custom LoginModule authenticates them alright and the EJB context has the correct user Principal. HttpServletRequests, however, still return null for the user Principal.
  Does anyone know how to programmatically "set" the user Principal that the Servlet container associates with a particular session?
  I'm using JBoss 3.0.0 with Catalina.
  Many thanks in advance.

  Hi,
  I've been following the (lack of) progress of your post with interest. As I will be going down the same path very shortly. If you have any joy please send me any details.
  I've looked at Tomcat 4.0.3 source and it appears that you may have an option to get the Principal set in the request. If you can cast your request to a org.apache.catalina.HttpRequest then you'll have access to the setUserPrincipal() method.
  Otherwise you're going to have to implement a Realm (which I'm looking into as we speak) which uses JAAS. There've been a few posts in the Tomcat lists about a JAAS Realm, but seems that no-one has created one yet worth including in a build of Tomcat.
  Dave

• Issue with Authentication using JAAS for coherence

  Hi,
  I have configured security frame work using JAAS for storage enabled node,
  I am using keystore for authenticating the users, Below is the code used for authentication,
      Subject subject;
          try{ subject = Security.login(sUsername, sPassword.toCharArray()); }
          catch (Throwable t){
              subject = null;
              log("Authentication error:");
              log(t); }
          if (subject != null)
              for (Iterator iter = subject.getPrincipals().iterator(); iter.hasNext(); )
                  Principal principal = (Principal) iter.next();
                  log("Principal: " + principal.getName());
          Security.runAs(subject, new PrivilegedAction()
              public Object run()
                  NamedCache cache = CacheFactory.getCache(CACHE_NAME);
                  boolean flag = true;
                  while (flag) {}
                  return null;
              });and i am calling the above class in the callback handler which is defined in coherence operation descriptor.
          <security-config>
                  <enabled system-property="tangosol.coherence.security">true</enabled>
                  <login-module-name>TestCoherence</login-module-name>
                   <access-controller>
                  <class-name>com.tangosol.net.security.DefaultController</class-name>
                          <init-params>
                          <init-param id="1">
                          <param-type>java.io.File</param-type>
                          <param-value>config/keystore.jks</param-value>
                          </init-param>
                          <init-param id="2">
                          <param-type>java.io.File</param-type>
                          <param-value>config/permissions.xml</param-value>
                          </init-param>
                          </init-params>
                   </access-controller>
                   <callback-handler>
                          <class-name>Test</class-name>
                   </callback-handler>
           </security-config>I am using the following command line parameters for bringing up the storage enabled node.
  -Dtangosol.coherence.security.permissions="$CONFIG_PATH/permissions.xml" 
  -Dtangosol.coherence.security.keystore="$CONFIG_PATH/keystore.jks" 
  -Djava.security.auth.login.config="$CONFIG_PATH/login.config" 
  -Dtangosol.coherence.security=trueNow till the callback handler thread is alive, storage enabled node will be up. As soon as the call back handler thread dies. Storage enabled node stops with the following error,
  Exception in thread "main" java.lang.SecurityException: Authentication failed: Error initializing keystore
  at com.tangosol.coherence.component.net.security.Standard.loginSecure(Standard.CDB:36)
  at com.tangosol.coherence.component.net.security.Standard.getTempSubject(Standard.CDB:11)
  at com.tangosol.coherence.component.net.security.Standard.checkPermission(Standard.CDB:18)
  at com.tangosol.coherence.component.net.Security.checkPermission(Security.CDB:11)
  at com.tangosol.coherence.component.util.SafeCluster.ensureService(SafeCluster.CDB:6)
  at com.tangosol.coherence.component.net.management.Connector.startService(Connector.CDB:25)
  at com.tangosol.coherence.component.net.management.gateway.Remote.registerLocalModel(Remote.CDB:8)
  at com.tangosol.coherence.component.net.management.gateway.Local.registerLocalModel(Local.CDB:8)
  at com.tangosol.coherence.component.net.management.Gateway.register(Gateway.CDB:1)
  at com.tangosol.coherence.component.util.SafeCluster.ensureRunningCluster(SafeCluster.CDB:50)
  at com.tangosol.coherence.component.util.SafeCluster.start(SafeCluster.CDB:2)
  at com.tangosol.net.CacheFactory.ensureCluster(CacheFactory.java:948)
  at com.tangosol.net.DefaultConfigurableCacheFactory.ensureService(DefaultConfigurableCacheFactory.java:748)
  at com.tangosol.net.DefaultCacheServer.start(DefaultCacheServer.java:140)
  at com.tangosol.net.DefaultCacheServer.main(DefaultCacheServer.java:61)
  Please let me know where should i pass the credentials to the default cache server for authentication or should i change the any implementation of authentication here.
  Thanks in advance,
  Bhargav

  Bhargav,
  Rather than trying to loop forever in a callback handler try this
  import com.tangosol.net.CacheFactory;
  import com.tangosol.net.DefaultCacheServer;
  import com.tangosol.net.security.Security;
  import javax.security.auth.Subject;
  import java.security.PrivilegedExceptionAction;
  public class SecureCacheServer {
      public static void main(final String[] args) throws Exception {
          LoginContext lc = new LoginContext("Coherence");
          lc.login();      
          Subject subject = lc.getSubject();
          Security.runAs(subject, new PrivilegedExceptionAction() {
              public Object run() throws Exception {
                  DefaultCacheServer.main(args);
                  return null;
  }Then when you start your cache server just use the SecureCacheServer class above rather than DefaultCacheServer
  As the main method of DefaultCacheServer is running in a PrivilegedExceptionAction Coherence will use this identity anywhere it needs to do anything secured.
  I hope the code above compiles OK as it is a modified version of the code I really use.
  Hope this helps
  JK

• When I login to my bank, I get the message: 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied. Have new MacBook Air with Yosemite. How to solve this problem?

  When I try to login to the website of my bank, I get the following error message:
  403 - Forbidden: Access is denied.
  You do not have permission to view this directory or page using the credentials that you supplied.
  I have a new MacBook Air with OS Yosemite installed.
  What is the problem and how can I solve it?

  Some websites require a special client certficate for access. If you don't have that certficate, you'll have to contact the site operator to find out how to get one.
  Sometimes the problem is caused by a web server that is configured to request an optional client certificate. Safari treats the request as mandatory. In that case, other browsers such as Firefox and Chrome may be able to connect to the site, because they ignore the request.
  The first time you were prompted for a certificate, you may have clicked through a dialog that requested access to the Apple certificate in your keychain that is used to secure the iMessage service. In that case, you may be able to regain access to the site in Safari by doing as follows.
  Back up all data.
  Double-click anywhere in the line below on this page to select it:
  com.apple.idms.appleid.prd
  Copy the selected text to the Clipboard by pressing the key combination command-C.
  Launch the Keychain Access application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Keychain Access in the icon grid.
  Paste into the search field in the Keychain Access window by clicking in it and pressing the key combination command-V. An item may appear in the list of keychain items. The Name will begin with string you searched for, and the Kind will be "certificate."
  Delete the item by selecting it and pressing the delete key. It will be recreated automatically the next time you launch the Messages or FaceTime application.
  The next time you visit a site that prompts for an optional client certificate, cancel out of the prompt. You may have to do this several times before the server stops asking.
  Credit for this idea to Christian Braukmueller of SAP.

• How to Set Up SSO Between IBM WebSphere and SAP EP Using JAAS

  Hi
  I have read the article on SDN called "How to Set Up SSO Between IBM WebSphere and SAP EP Using JAAS", which is also the name of my posting.
  The reason why I post this is that I've tried to follow the links in the PDF to get the file WebsphereEpSsoLib.zip but I get an error 403, which tells me that the file is not there.
  Does anybody know where this file went or can somebody tell me an alternative place to get this file?
  Jacob

  Please open the associated whitepaper, and you can find the download link to the .ZIP file on page 4.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/ibm/how to set up single sign-on between an ibm websphere portal and the sap enterprise portal using jaas.pdf
  Hope that works!
  Elise

• You do not have permission to view this directory or page using the credentials that you supplied.You do not have permission to view this directory or page using the credentials that you supplied.

  Hi,
  I update recently my OS to Yosemite and decided to use Safari again as my web browser (I was using Chrome). Some of the sites I need to access for professional reasons are not available with safari. I receive the message: "403 - Forbidden: Access is denied.You do not have permission to view this directory or page using the credentials that you supplied.". I believe there is a pattern here, they are all sites publish with IIS with SSL and build with ASP.NET.
  I can access them with Chrome (on OS X) or with Internet Explorer (with my Windows VMs).
  I've already cleared all saved passwords, cookies, history, etc...the problem remains. I'm sure this is a known problem, but all the answers I've found on the internet were for things like DNS and unavailability of the site. The sites are working fine and I can access them with Chrome.
  Can anybody help me? An explanation would also be nice :-) Something to do with Microsoft Authentication methods ?
  Thanks,

  Some websites require a special client certficate for access. If you don't have that certficate, you'll have to contact the site operator to find out how to get one.
  Sometimes the problem is caused by a web server that is configured to request an optional client certificate. Safari treats the request as mandatory. In that case, other browsers such as Firefox and Chrome may be able to connect to the site, because they ignore the request.
  The first time you were prompted for a certificate, you may have clicked through a dialog that requested access to the Apple certificate in your keychain that is used to secure the iMessage service. In that case, you may be able to regain access to the site in Safari by doing as follows.
  Back up all data.
  Double-click anywhere in the line below on this page to select it:
  com.apple.idms.appleid.prd
  Copy the selected text to the Clipboard by pressing the key combination command-C.
  Launch the Keychain Access application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Keychain Access in the icon grid.
  Paste into the search field in the Keychain Access window by clicking in it and pressing the key combination command-V. An item may appear in the list of keychain items. The Name will begin with string you searched for, and the Kind will be "certificate."
  Delete the item by selecting it and pressing the delete key. It will be recreated automatically the next time you launch the Messages or FaceTime application.
  The next time you visit a site that prompts for an optional client certificate, cancel out of the prompt. You may have to do this several times before the server stops asking.
  Credit for this idea to Christian Braukmueller of SAP.

• 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied

  I got this message when trying to checkout from a site store:
  403 - Forbidden: Access is denied.
  You do not have permission to view this directory or page using the credentials that you supplied.
  Any ideas how can I solve it?

  Ask the people running the store; that error generally means that you tried to do something they don't allow or something's wrong on their end.
  (89086)

• Why am I getting this message: 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied?

  I just tried to access a website that I regularly access several times a day. However, this evening I received the following message: 403 - Forbidden: Access is denied.
  You do not have permission to view this directory or page using the credentials that you supplied.
  I have never seen this before, and have no idea what it means, or how to access the site. Does it have anything to do with my security settings? Help. I belong to the site, and need to access it.

  Do you need to login to access that website?
  Clear the cache and the cookies from sites that cause problems.
  * "Clear the Cache": Tools > Options > Advanced > Network > Offline Storage (Cache): "Clear Now"
  * "Remove the Cookies" from sites causing problems: Tools > Options > Privacy > Cookies: "Show Cookies"

• Using JarSettings to generate EJB client jar, but supported classes missed

  Appreciated for any comments in advance.
  I am using @jarSetting to generate EJB client jar file from workshop 9.2. The remote method of EJB has one input parameter that is defined as an interface. The interface is included in client jar, but the implementation of this interface is not.
  Please advise how I can add the implementation of this interface to client jar?
  Best Regards,
  James

  Hi James,
  I believe the algorithm for creating the client jar is to simply inspect the EJB interfaces using reflection and to include all user defined classes and exceptions that are referenced by the interfaces. In your case, it sounds like a class is not being included because it is not directly referenced by one of the EJB interfaces.
  I think the client jar creation algorithm can be described as "best effort" and unfortunately, it does not always end up including all classes needed by the client. I would recommend you add the additional classes manually using the jar tool.
  - Matt

• Using swing to develop EJB project

  Hi, Folks
  I am using jbuilder7 to develop swing connect to ejb project, one requirement is that i should doing control with the editable table. That requirement make me to tied with JBuilder component JDBTable. However the development time would become remarkable long. does anybody have experience of using fancy swing and EJB in the same project?
  thansk in advance.

  forget to tell you I am using JDBTable already. the problem is that how
  could i serlize the dataset to EJB in a easy way? ok, you don't need to serialize your dataset to trasmit to server side. Class com.borland.dx.dataset.DataSetData implements Serializable interface already, so you can send your dataset to server and do not care about serialization. But what to do with this DataSet on server side is very interesting question ;). As for me, it's not very handly to pull out your data from Dataset on server side (DataSet "looks" like client-side class). But, of course, it's up to you.
  unfortunlly I should doing add, delete, edit from my table. So its
  pretty complex to deal with this sort of issue.Why complex? I don't think so. For example, you may set 2 buttons: "Set" and "Delete" under your Jtable view and just "to fish" data client entered in your Jtable string, pack this data in your own serializable model and send this data to server session facade. As for me that's very handly and fast. And there is no complexity...
  Regards.

• Role based menu using JAAS

  Is it possible to implement role based menu using JAAS in web application ? My requirment is to enable or disable menu items on the screen based on the roles of the logged in user .
  Can some one help me on this ?

  Is it possible to implement role based menu using JAAS in web application ? My requirment is to enable or disable menu items on the screen based on the roles of the logged in user .
  Can some one help me on this ?