Hi all I have a few related issues to raise concerning authentication.
Firstly, when can we hope to see the policy framework being implemented in bindings other than WS? My concern is particularly token-based authentication with the JMS binding. I know, given the new policy framework SPIs, it will be possible in principle to apply policies to bindings externally, but I'm not sure that will be sufficient in the JMS case. Secondly, having authenticated, I need to access the credentials from within the target component. This is partly for application-specific authorization within the component, and partly for passing on via non-SCA references. I know the RequestContext has a method for returning the authenticated Subject, but it is not implemented. Is there any intention either to implement this, or provide a equivalent extension point? Finally, to support any such feature, it seems to me we need some extra plumbing to associate the authenticated credentials with the current invocation on the thread, like the Subject.doAs() pattern - although I know the standard version is broken. This needs to be at a higher level in the flow than standard interceptors. For the WS binding it seems necessary to do it above the Axis handler level, e.g. with a servlet filter or by extending the servlet. But I think for JMS and other bindings it would need implementing within the binding, probably in the Listener and possibly the Invoker (for replies). Have I missed something here? Thanks in advance Steve
