Hi, since you said you where sort of interested I have to tell what I did today and yesterday:
1. A DirContext JCA (org.jboss.naming.dir.ra) 2. Following appendix C in the connector spec, I did a, LdapLoginModule that adds a PasswordCredential (working agains the same base classes as the DirContext JCA) to the subject (private cred) 3. Added the possibility to dynamically set the ResourceSubjectFactory in ConnectionFactoryLoader. 4. Added a SubjectResourceSubjectFactory which looks up the currently active Subject and returns that to the connector stuff, to use when creating new connection. Now you can set up this as a resource in your servlet or ejb, for example conntect java:comp/env/users to the DirContext resource adapter and get access to user data as the current user. I will add the ability to also directly get the data for the current user. It is really early stuff, and I agree that it is not generall enough to solve the big problem with signon to resource adapter as the calling principal/subject. But it works ok (just had it up and working) for user data. Is this of any interest at all or is it just me playing to laud. Perhaps as a contrib stuff? //Peter On 22 Okt, Till: [EMAIL PROTECTED] wrote: > On 22 Okt, Till: [EMAIL PROTECTED] wrote: >> On 21 Okt, Scott M Stark wrote: >>> I plan on doing an extension of JBossSX + JCA based on applicable >>> standards to provide a uniform security service for all JBoss services. >> >> Thats great. But is this "plan as in will be done spring 2002" or as in >> "plan I am alreaddy working on it". I need to sort of get my stuff up an >> woring this year, and personally it would be great to know at least the >> direction you are working in. > > Ok, I have read the Connector spec so many times, but never the JAAS > appendix. It's all there (well almost all) except from (what I guess) > that the Subject (principal mapping) done that way will not be > accessable by the calling client. > > Is there any support today in JBosscx to use the Subject from the > calling security domain? > > //Peter >> >> //Peter >>> >>> ----- Original Message ----- >>> From: <[EMAIL PROTECTED]> >>> To: <[EMAIL PROTECTED]> >>> Sent: Sunday, October 21, 2001 12:29 PM >>> Subject: Re: [JBoss-dev] User API; was Tomcat security/LdapLoginModule >>> >>> >>>> At a first architectual level, this would mean that to be able to >>>> autenticate as the the current user, each such system must have added a >>>> LoginModule to the auth chain for that particular security domain, and >>>> that the LoginModule works in cooperation with the API/adapter giving >>>> access to the resource data, probably by using some sort of >>>> encryption/ticket granting mechanism internally known only the the parts >>>> handling the resource. >>>> >>>> This could probably be made pretty generic for JCA stuff (JBoss would >>>> have to handle both the LoginModule and the encrytion/decryption of >>>> credentials. For LDAP it would not be that hard either, I think. >>>> >>>> Or is it better to wait for SUN to make a stand on this things (and they >>>> will eventually!)? Should we only implement stuff that is standardized >>>> for the container? >>>> >>>> Well, just my 2c. >>>> >>>> //Peter >>>> >>> >>> >>> >>> _______________________________________________ >>> Jboss-development mailing list >>> [EMAIL PROTECTED] >>> https://lists.sourceforge.net/lists/listinfo/jboss-development >> > -- Jobba hos oss: http://www.tim.se/weblab ------------------------------------------------------------ Peter Antman Technology in Media, Box 34105 100 26 Stockholm Systems Architect WWW: http://www.tim.se Email: [EMAIL PROTECTED] WWW: http://www.backsource.org Phone: +46-(0)8-506 381 11 Mobile: 070-675 3942 ------------------------------------------------------------ _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
