--- Scott M Stark <[EMAIL PROTECTED]> wrote:
> The only issue with this is that the
> JaasSecurityManager is not considered
> a public API for which compatability between
> releases is a consideration.
> Your subclass of JaasSecurityManager may not work in
> latter releases.
> The public API for use with JaasSecurityManager is
> simply the JAAS
> login module api.
I think JAAS security manager definitely needs some
change. Let's assume situation, that call comes
with principal "null" and credential "null" - this can
be ( and is in my context ) legitimate user, with
some roles defined.
My login module authenticates him, assignes roles and
updates subject. This subject is returned to
JaasSecurityManager, and it's happy. When it's happy
it saves subject information into cache. With a funny
key of "null" - which was my original principal.
After successfull authentication phase comes
authorization ( doesUserHaveRole(). Where it
tries to lookup cached authentication information
using "null" principal - and of course fails, despite
the fact that my login module said OK to this.
I propose to add separate storage for "null" principal
authentication data.
For now I did a quick fix - tweaking principal from
"null" to SimplePrincipal("nobody") and everything
works so far...
regards,
=====
Konstantin Priblouda ( ko5tik ) Freelance Software developer
< http://www.pribluda.de > < play java games -> http://www.yook.de >
< render charts online -> http://www.pribluda.de/povray/ >
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
