All "default" Subjects should be obtained by logging in to a realm, not
constructed explicitly
----------------------------------------------------------------------------------------------
Key: GERONIMO-2687
URL: http://issues.apache.org/jira/browse/GERONIMO-2687
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Components: security
Affects Versions: 2.0
Reporter: David Jencks
Assigned To: David Jencks
We have several places where we just construct a Subject for a default
principal or some such. This ties us to some very restrictive assumptions
about what a principal is that are incompatible with e.g. triplesec. Also it
separates security management into maintaining the login backing store (e.g.
ldap) and maintaining the deployment plan.
Instead, all these subjects should be obtained by logging into a realm. To do
this we need way to supply the appropriate credentials.
I'm thinking of an interface
public interface CredentialStore {
Subject getSubject(String realm, String id) throws LoginException;
}
that appropriate bits can use to get the subject they need. The normal
implementation can store credentials for the ids and log in to the realm
indicated. We can have a backwards-compatible implementation that constructs
the subject as is done currently.
Even better would be to have this accessible only through having some
permissions. However this would require starting the server to require
credentials. I'm not sure how to implement that or if it would have widespread
support.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
