Just thinking out loud here, but it shouldn't be too difficult to change this into holding a hash of the logincontext instead of the whole context. Since the equals contract already specifies that equal object should have equal hashes The equals check can be easily performed on the hash, HashMap actually uses the hash before it uses the equal, so i do not see much problems here. And it is not like you are gonna have an army of logincontexts in each session.
Ill see if i can implement this sometime tomorrow. Thanks again for pointing this out, if you think there are more of this kind of problems just let me know. Maurice P.S. i guess an api for getting the original logincontext is out of the question then :) On 6/8/07, craigdd <[EMAIL PROTECTED]> wrote: > > Are you saying then that the instance of LoginContext used to login is held > onto in the WASPSession, via the security framework? > > If so then this brings up a huge security issue, as least the way the API > sits and the examples showing that a LoginContext takes a username and > password in its constructor. This mean that a password(probably plain text) > is available in the session which is usually a big no no when it comes to a > secure application. I've been through a few security probes from banks on > various online applications that that is one of the first thing they look > for / ask. "Are you holding onto the password?" > > -Craig > > > Mr Mean wrote: > > > > There is currently no way to grab the login context, so you could > > store it yourself (there migh be multiple logintexts though). But the > > good news is you don't have to store it if you don't want to. The > > logoff performs an equals check and currently every logincontext of > > the same class and level is equal to another. So if you login using a > > MySingleLoginContext(username, password) you can logoff with any new > > instance of that class (logoff(new MySingleLoginContext());) > > > > However if you feel you need to have access to the original instance, > > for instance because you want to know the username, i can always > > include such a method in the api. > > > > Maurice > > > > On 6/8/07, craigdd <[EMAIL PROTECTED]> wrote: > >> > >> I see that the WASPSession.logout method takes a LoginContext. Is there > >> somewhere within the SWARM implementation to grab the LoginContext used > >> to > >> login? Or when logging in is it up to the developer to put the > >> LoginContext > >> somewhere...say maybe the session itself? > >> > >> Thanks > >> Craig > >> -- > >> View this message in context: > >> http://www.nabble.com/WASPSession.logout%28object%29-tf3887102.html#a11018551 > >> Sent from the Wicket - User mailing list archive at Nabble.com. > >> > >> > >> ------------------------------------------------------------------------- > >> This SF.net email is sponsored by DB2 Express > >> Download DB2 Express C - the FREE version of DB2 express and take > >> control of your XML. No limits. Just data. Click to get it now. > >> http://sourceforge.net/powerbar/db2/ > >> _______________________________________________ > >> Wicket-user mailing list > >> Wicket-user@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/wicket-user > >> > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Wicket-user mailing list > > Wicket-user@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/wicket-user > > > > > > -- > View this message in context: > http://www.nabble.com/WASPSession.logout%28object%29-tf3887102.html#a11033924 > Sent from the Wicket - User mailing list archive at Nabble.com. > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Wicket-user mailing list > Wicket-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wicket-user > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
