On Fri, Feb 25, 2011 at 12:37 PM, Prabath Siriwardana <[email protected]> wrote: > In fact the client principal is available for the service end - that is how > we do XACML authorization based on the client principal..
How are we extracting client principal name from the incomming kerberos token ? Is it in the kerberos token ? Thanks AmilaJ > Thanks & regards, > -Prabath > > On Fri, Feb 25, 2011 at 12:30 PM, Amila Suriarachchi <[email protected]> wrote: >> >> >> On Fri, Feb 25, 2011 at 12:27 PM, Prabath Siriwardana <[email protected]> >> wrote: >>> >>> The client principal name is accessible via the MessageContext.. we need >>> to populate CarbonContext.. >> >> What I learned from AmilaJ is that client principal name is not available >> if we only use Kerbros. >> Basically what kerboros says is that a valid user has send the message. >> >> thanks, >> Amila. >>> >>> Thanks & regards, >>> -Prabath >>> >>> On Fri, Feb 25, 2011 at 12:20 PM, Amila Jayasekara <[email protected]> >>> wrote: >>>> >>>> On Fri, Feb 25, 2011 at 11:34 AM, Amila Suriarachchi <[email protected]> >>>> wrote: >>>> > When a user authenticated using kerboros, is the user name available >>>> > to the >>>> > server? >>>> >>>> Hi Amila, >>>> As far as i know the client only sends a Kerberos token. I am not sure >>>> whether client principal name is in it. Thus as per now user name is >>>> not available to the server. If user name is needed we need to use a >>>> user name token as a supporting token in kerberos policy. >>>> >>>> Thanks >>>> AmilaJ >>>> >>>> > if so can the service get the user name with >>>> > CarbonContext.getUserName() >>>> > >>>> > thanks, >>>> > Amila. >>>> > >>>> > On Thu, Feb 24, 2011 at 11:36 PM, Amila Jayasekara <[email protected]> >>>> > wrote: >>>> >> >>>> >> Hi All, >>>> >> As some of you may know, there is a Kerberos KDC server with latest >>>> >> IS >>>> >> build. In-order to complete the use case we added kerberos based >>>> >> security scenario to security-mgt component. Now there is a security >>>> >> scenario 16. See screen-shot for more details. Now users can easily >>>> >> secure services using Kerberos security policy by selecting scenario >>>> >> 16. >>>> >> But this change is not yet in trunk as kerberos related rampart >>>> >> changes are not yet in trunk (Currently i am doing changes in 3.0.1 >>>> >> support branch). But hopefully by next week we will be adding these >>>> >> changes to the trunk. >>>> >> >>>> >> Please review the attached screen shot and let me know, if any of the >>>> >> text needs to be changed. >>>> >> >>>> >> Also we need to add two more config files to support, scenario 16. >>>> >> They are krb5.conf (Contains parameters related to requesting ticket) >>>> >> and jaas.conf (Authorization properties). >>>> >> I am planning to add above mentioned files to esb's conf directory. >>>> >> Please let me know if you have any concerns. >>>> >> >>>> >> Also i have a sample which demonstrate the use of KDC in IS and usage >>>> >> of scenario 16, in esb. Since this sample is related to 2 products, i >>>> >> am not sure where should i place the sample. Will be great if you >>>> >> could give feedback on where to place sample program (In IS or ESB >>>> >> ?). >>>> >> >>>> >> Thanks >>>> >> AmilaJ >>>> >> >>>> >> _______________________________________________ >>>> >> Carbon-dev mailing list >>>> >> [email protected] >>>> >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>>> >> >>>> > >>>> > >>>> _______________________________________________ >>>> Carbon-dev mailing list >>>> [email protected] >>>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >>> >>> >>> -- >>> Thanks & Regards, >>> Prabath >>> >>> http://blog.facilelogin.com >>> http://RampartFAQ.com >> > > > > -- > Thanks & Regards, > Prabath > > http://blog.facilelogin.com > http://RampartFAQ.com > _______________________________________________ Carbon-dev mailing list [email protected] http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
