I think there are two different things, verifying the crendentials validity and authenticating the user. The first one can be done by ws-security but the second one should be done by jaas. Though it can be just verifying the mapping between the given credential and the user.
For public key authentication used by SSH, that's what we do. The key is verified by SSH, and once the public key is verified, we simply authenticate the user by verifying that the public key has been configured for the user. I wonder if we could do the same for WS-security. The ws-sec layer would verify the crendentials (checking trust), and delegate to jaas the association of the crendential with the user (and retrieve associated roles at the same time). So I think, what we need is a new LDAPLoginModule (and maybe another one for non ldap env) that could verifiy that the given crendential is associated with the user. On Thu, Mar 7, 2013 at 7:40 AM, Christian Schneider <ch...@die-schneider.net > wrote: > Hi Lukasz, > > I am not sure how the optional flag would work. I suspsect though that I > get no roles when the authentication fails. > Basically the problem is that I do not have a password when doing the > login. Of course the user is not unauthenticated as the certificate check > is already > done by ws-security. > > Yes I can create a certificate login module. But it would have to copy all > role retrieval code from the LDAPLoginModule. The certificate check is done > by checking the trust of the certiicate and > the proof of possesion. During this I do not get any roles. So I still > would have to call ldap with a fixed user to get the roles. I will do some > experiments with this and will report back if I find a better > way than the switch. > > Christian > > Am 06.03.2013 23:37, schrieb Łukasz Dywicki: > > Hey Christian, >> I am not sure *if* thats really good direction. I haven't seen option like >> this before in other JAAS module implementations, but I may have limited >> view for this. A proper way to do that with JAAS is to use control flags >> like required, sufficient or optional. that's the way how overall JAAS was >> designed. If you really need additional principals attached to subject you >> can add them in certificate login module/code, don't you? >> >> Best regards, >> Łukasz >> >> W dniu poniedziałek, 4 marca 2013 użytkownik Christian Schneider napisał: >> >> > -- > Christian Schneider > http://www.liquid-reality.de > > Open Source Architect > Talend Application Integration Division http://www.talend.com > > -- ------------------------ Guillaume Nodet ------------------------ Red Hat, Open Source Integration Email: gno...@redhat.com Web: http://fusesource.com Blog: http://gnodet.blogspot.com/
