Hi david and all, I finally got some time for j2 from now on. I have read all your security documentation. For the chapter -- Architecture Overview(http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/arch.html), I have a little question. In this chapter, the following are the original text: " Authentication establishes the identity of the user and populates the Subject with all the user principals. In a portal context, the populated Subject is added to the session in the org.apache.jetspeed.security.SecurityValve implementation."
I think we should make it clearer here, the subject object in the portal context are not the original one which is populated by the LoginContext.login() (I have ever raised a issue for this problem -- http://issues.apache.org/jira/browse/JS2-238). So, that is to say, user a can plug-in their own JAAS Login Module by configurate the login.conf, but just for a verify. Any action like add a credential to subject's public or private credential set in user's own Login Module is meanless, cause the subject object populated by LoginContext.login() method will be just abandoned after the JAAS authentication. Does it make sense? - James Liao --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
