I'm working on a basic OpenID (<http://openid.net/>,
<http://www.openidenabled.com/>) library for java. It is clear,
however, that a simple OpenID library won't be too useful in the java
world, unless there is additional code for making it easy to integrate
into a servlet/JSP environment.
I would like to find a way to use it that is both easy, and portable
between containers. Portability between containers would seem to make
Container Managed Security's realm-based authentication a bad idea, as
custom realm code varies widely between containers. Additionally, CMS
authentication is designed to not allow unsolicited login requests. The
way OpenID works, all login requests would be considered unsolicited by
the container.
Here's a quick overview of the OpenID login process:
1. The user enters their OpenID url on the site they want to log in to.
2. The site does some setup work, and redirects them to their identity
provider's site to verify that they control the OpenID url.
3. The provider's site redirects them back to the site they wish to log
in to, with some cryptographic proof the login is valid. (For details,
see the OpenID specification.)
4. The site the user is logging in to verifies the cryptographic data,
and acts appropriately.
From what I can tell, the biggest issue here is this: On the site
being logged in to, all user interaction is performed in step 1, but the
final login is performed in step 4, handling an entirely different
request from the user.
Does anybody have any ideas about how to do this in a portable and
stable manner? I'm aware of the SecurityFilter project, but it seems to
have stalled in development a long time ago, with several important bugs
still outstanding. Is there any other approach to this that's remotely
viable?
Thanks for your time, and thanks in advance for any suggestions.
Carl Howells
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
