Yes, I agree, the use of flags should cover the use case of adding roles. I must admit I still don;'t understand why you'd have to bypass the authentication. Bypassing the authentication would mean that users could be given roles with wrong credentials. Worst thing, the authentication is done twice, but really, it should just be delegated to JAAS.
On Wed, Mar 6, 2013 at 11:37 PM, Łukasz Dywicki <l...@code-house.org> wrote: > Hey Christian, > I am not sure *if* thats really good direction. I haven't seen option like > this before in other JAAS module implementations, but I may have limited > view for this. A proper way to do that with JAAS is to use control flags > like required, sufficient or optional. that's the way how overall JAAS was > designed. If you really need additional principals attached to subject you > can add them in certificate login module/code, don't you? > > Best regards, > Łukasz > > W dniu poniedziałek, 4 marca 2013 użytkownik Christian Schneider napisał: > > > I have created an issue to introduce a suitable switch to skip > > authentication. > > > > https://issues.apache.org/**jira/browse/KARAF-2219< > https://issues.apache.org/jira/browse/KARAF-2219> > > > > Christian > > > > On 04.03.2013 13:19, Guillaume Nodet wrote: > > > >> The authentication part is already switchable, you can have a custom > login > >> module which will just return true without doing any real > authentication. > >> However, that's kind of a security breach if you put it by default. So > >> you > >> need to make sure that is only done in a custom jaas configuration which > >> is > >> not usedby the container itself for security. > >> > >> > >> On Mon, Mar 4, 2013 at 12:25 PM, Christian Schneider < > >> ch...@die-schneider.net> wrote: > >> > >> On 04.03.2013 12:11, Guillaume Nodet wrote: > >>> > >>> Shouldn't STS delegate certificate authentication to the underlying > JAAS > >>>> system ? > >>>> > >>>> I also thought about this but at the moment STS uses policies to > define > >>> the auth method. So ws-security automatically kicks in. Of course we > >>> could > >>> use a custom > >>> validator that delegates to JAAS. In this case we would have to define > a > >>> way to forward all credentials to JAAS (like Certificate and > Signature). > >>> > >>> Independent of this possibility what do you think about making the > >>> authentication part switchable? I think this could help for other cases > >>> too > >>> where e.g. you want to authenticate using ldap but have roles in a db > or > >>> similar. > >>> > >>> > >>> Christian > >>> > >>> -- > >>> Christian Schneider > >>> http://www.liquid-reality.de > >>> > >>> Open Source Architect > >>> http://www.talend.com > >>> > >>> > >>> > >> > > > > -- > > Christian Schneider > > http://www.liquid-reality.de > > > > Open Source Architect > > http://www.talend.com > > > > > -- ------------------------ Guillaume Nodet ------------------------ Red Hat, Open Source Integration Email: gno...@redhat.com Web: http://fusesource.com Blog: http://gnodet.blogspot.com/
