I have created an issue to introduce a suitable switch to skip
authentication.
https://issues.apache.org/jira/browse/KARAF-2219
Christian
On 04.03.2013 13:19, Guillaume Nodet wrote:
The authentication part is already switchable, you can have a custom login
module which will just return true without doing any real authentication.
However, that's kind of a security breach if you put it by default. So you
need to make sure that is only done in a custom jaas configuration which is
not usedby the container itself for security.
On Mon, Mar 4, 2013 at 12:25 PM, Christian Schneider <
ch...@die-schneider.net> wrote:
On 04.03.2013 12:11, Guillaume Nodet wrote:
Shouldn't STS delegate certificate authentication to the underlying JAAS
system ?
I also thought about this but at the moment STS uses policies to define
the auth method. So ws-security automatically kicks in. Of course we could
use a custom
validator that delegates to JAAS. In this case we would have to define a
way to forward all credentials to JAAS (like Certificate and Signature).
Independent of this possibility what do you think about making the
authentication part switchable? I think this could help for other cases too
where e.g. you want to authenticate using ldap but have roles in a db or
similar.
Christian
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
http://www.talend.com
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
http://www.talend.com
