Hi Scott, Excellent - this was just what I was looking for, but didn't realise it already existed. I'll check this out pronto.
Many thanks, Phil > -----Original Message----- > From: Scott M Stark [mailto:[EMAIL PROTECTED]] > Sent: 20 September 2002 18:05 > To: [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: Re: [JBoss-dev] Re: [jetty-discuss] isValid() not a good fit > for certs > > > It sounds like to me you simply want to be able to get a > principal with > a meaningful name in application code through > HttpServletRequest.getUserPrincipal. > This is already supported through the CallerPrincipal > mapping. The login > module simply creates a java.security.acl.Group named > "CallerPrincipal" that contains > the java.security.Principal to be returned by the JBoss RealmMapping > Principal getPrincipal(Principal principal) method. The > principal as known in the > security domain and that at the application level can be two > different objects. > I don't see any need for a mutable Principal. > > xxxxxxxxxxxxxxxxxxxxxxxx > Scott Stark > Chief Technology Officer > JBoss Group, LLC > xxxxxxxxxxxxxxxxxxxxxxxx > > ----- Original Message ----- > From: "Dawes, Phil" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]> > Sent: Friday, September 20, 2002 7:45 AM > Subject: RE: [JBoss-dev] Re: [jetty-discuss] isValid() not a > good fit for certs > > > > Hi Greg, Hi Scott, > > > > Thanks for your replies. > > > > Unfortunately, unlike Jetty, JbossSX does require that the > principal be the > > same for each subsequent call into the security layer after > the initial > > auth, since JaasSecurityManager caches the subject > information based on > > principal. This means AFAIK I can't switch the principal to > a different one > > after the authenticate. > > > > <thinks> > > Although I suppose Jetty could use a Principal which > allowed the name to be > > changed retrospectively without changing the hashcode - > would this work?. > > </thinks> > > > > > > I ought to elaborate - the real problem for me is not > thinking of a name for > > a dummy principal to use. The real problem is that after > authentication, the > > application writers will want to get more information about > the user other > > than just the principal name. In order to do this we have a > service which > > returns information about the user when passed the > authenticated principal. > > This means that the principal name needs to be something > sensible (currently > > UserID in our weblogic setup). > > > > Weblogic has an api (like jetty's) which allows the > principal to be created > > after the authentication, thus allowing the realm to > dictate what the > > authenticated principal name is. > > > > How does this sound as a solution: > > > > - jetty ClientCertAuthenticator uses subjectDN, or failing that, > > CertSerial&Issuer as the username (not important really) > > > > - The Jetty JbossUserRealm creates a principal which can > have its name > > changed without changing the object hashcode. > > > > - Realm calls isValid(principal, cert) > > > > - Home baked JAAS LoginModule authenticates certificate, > and populates > > active subject on commit. > > > > - Realm then sets the principal name to be that of the > first principal in > > the active subject. > > > > This means that the author of the JAAS login module can > dictate what name of > > the principal after the authentication has taken place, and > the Jetty > > JbossUserRealm is still pretty generic. > > > > Does this sound reasonable? > > > > Cheers, > > > > Phil > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > Jboss-development mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-development > ---------------------------------------------------------------------- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. ---------------------------------------------------------------------- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
