[jira] [Commented] (CLEREZZA-481) AuthenticationMethod.authenticate(Request request) return Subject

Wed, 11 May 2011 10:26:30 -0700 

    [ 
https://issues.apache.org/jira/browse/CLEREZZA-481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13031868#comment-13031868
 ] 

Henry Story commented on CLEREZZA-481:
--------------------------------------

It turns out that having the following works better


        public boolean authenticate(Request request, Subject subject)
                throws LoginException, HandlerException;

This allows the authentication servlet filter to pass the same subject to each 
authentication method implementations, and each of these can add the Principals 
it finds into the subject in addition to any credentials it comes accross. This 
can then 
 - allow multiple authentications to occur one after the other, and for 
multiple auths to re-inforce each other - say someone who auths with password 
and webid is better authentified that just webid (perhaps) 
 - to allow code to work out how an authentication decision was made
 - to help write debugging servlets that can comment on failures
 ...



> AuthenticationMethod.authenticate(Request request) return Subject
> -----------------------------------------------------------------
>
>                 Key: CLEREZZA-481
>                 URL: https://issues.apache.org/jira/browse/CLEREZZA-481
>             Project: Clerezza
>          Issue Type: Improvement
>            Reporter: Henry Story
>
> currently AuthenticationMethod.authenticate(Request request)  returns String
>   It would make more sense if it could return a Subject [1]. This would allow 
> the object returned to be a lot richer. For example
>   (a) A Subject can contain a number of credentials and a number of 
> Principals. In the WebId with an X509 certificate continaing a number of 
> Subject Alternative Names  a subject could contain a number of WebID 
> Principals. Some WebIDs might take time to be verified, so they could appear 
> in the Subject at a  later time.
>   (b) A Subject can also contain credentials. In fact X509 certificates 
> should be the prototypical public credential.
>   (c) Credentials can be any object, but clearly one could wrap an 
> X509certificate in  a class with an isCurrent() method to test if the 
> certificate is still valid. It would also allow X509certs to be destroyed, 
> which could then perhaps throw TLS exceptions... to be looked into.
> 1] 
> http://download.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html#Subject

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to