Hey Tim, Jaas is full of smells :P
Let's see if I can help you out here...
1. You are correct. You can chain AuthenticationProviders, but as soon
as one returns a valid token the chain ends.
2. The first part of this is what the AuthorityGranter interface is
designed for. The AuthenticationDao thing, I'm not sure what your
intent was. Either way, the AuthenticationDao.authenticate(...) method
returns a UserDetails instance, which has the GrantedAuthority[]
getAuthorites() method on it.
3. The AuthorityGranter (AuthorityResolver would have been a better
name though hehe) returns a set for exactly the reason you mentioned.
You pass it a principal and it returns a set of ROLE_names. This +
some jdbc access or whatever your authority source is going to be
would be an option. Inelegance is in the eye of the beholder :P
One thing to keep in mind with Jaas, there will (almost) always be at
least one principal to work with, and that's the user. So if certain
users are going to get extra roles or authorities based on their
username for example writing an AuthorityGranter to do that would be
the way to go.
I hope this helps, or at least made sense.
-Ray
On 7/18/05, Tim Kettering [EMAIL PROTECTED] wrote:
Hi everyone,
On this project I'm working on, we are using JAAS to authenticate a token,
and Acegi's JAAS support classes allow for the translation of the user and
its principals to Acegi's authority objects. But in this particular case,
we are not interested in the principals that JAAS returns. We want to
continue using our own method for obtaining the authorities.
So I've been looking at a few possible approaches. But none of them seem to
really avoid the sense of code smell, so I thought I'd ask on the list for
suggestions from people who may be more familiar with a better strategy.
using a different authentication provider to simply populate the authorities
– it seems to me that authentication manager will only process with one
authentication provider, and if it returns a valid token, it does not
continue down the list… so when jaas authentication provider returns a valid
token, it wont process the custom class I made. (correct me if im wrong).
Replace Acegi's JaasAuthenticationProvider with a similar one of our own
that adds a method that obtains the additional authorities and adds it in.
This was the approach I started with, and I thought perhaps I could make use
of the AuthenticationDao to obtain the authorities I needed for the user and
add them in, but apparently AuthenticationDao does not provide an easy way
to simply obtain the authorities.. but instead, need to obtain the user
itself.
With the latest code in HEAD, AuthorityResolver can now return a set, so I
could hack a custom Resolver that ignored the returned Jaas Principal and
simply provided its own, but this seems rather inelegant, and has it's own
issues.
So, I guess I'm asking here.. is there a easier way (that I've missed) to
introduce my own GrantedAuthorities in the JAAS authentication flow??
Thanks in advance!
-tim
HS^µéšŠX¬²š'²ŠÞu¼ƒŠÇ(½êÄjÌ‹Š{±2(+jب�+kj× ‰ë®‰ˆÁb�Ûš™^¶‡è–Z0F†�™ªl²ÚÚŠm~Šðj·Z®Øœ•ë�ú+™«b½åžmƬ¶Æ§vj+xgz÷«ÊØbž
¨ºwžvÚ zÛ©¶‹)yç_jËa¶Úý§l¢Çgr‰¿iØ�