Sorry, I guess I could have added that :-) The ContextSource is essentially a connection pool similar to a DataSource. So if you set the properties on the ContextSource then its set for the entire application not just for that user.
Obtaining a DirContext from the ContextSource and then releasing the ContextSource makes it bound only for that request. -Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Fri, Aug 1, 2008 at 9:54 AM, <[EMAIL PROTECTED]> wrote: > > I suspect I know, but could you lay out for me why "That would be very > bad(tm)"? :-) > > > Thanks, > Ann > > ------ > G. Ann Campbell > Systems Engineer > Shaw Industries > > > > > *"Scott Battaglia" <[EMAIL PROTECTED]>* > Sent by: [EMAIL PROTECTED] > > 08/01/2008 09:31 AM > Please respond to > Yale CAS mailing list <[email protected]> > > To > "Yale CAS mailing list" <[email protected]> cc > Subject > Re: LDAP fastbind + non-anonymous principal lookup - again > > > > > You shouldn't be setting the username and password on the ContextSource! > That would be very bad!(tm) > > You should use the ContextSource to get a DirContext. It might be > something like getContextSource().getDirContext(username, password) or > something similar. > > -Scott > > -Scott Battaglia > PGP Public Key Id: 0x383733AA > LinkedIn: > *http://www.linkedin.com/in/scottbattaglia*<http://www.linkedin.com/in/scottbattaglia> > > > On Fri, Aug 1, 2008 at 9:16 AM, <[EMAIL PROTECTED]<[EMAIL PROTECTED]>> > wrote: > > Believe I may have mis-framed what I'm doing, which is this: > > AuthenticatedLdapContextSource ctxSrc = this.getContextSource(); > ... > ctxSrc.setUserDn(fullUserName); > ctxSrc.setPassword(credentials.getPassword()); > > So I suppose my question at this point is whether there's one instance of > this ContextSource in the JVM or one per thread. > > Thanks for your help & input, > > > Ann > > ------ > G. Ann Campbell > Systems Engineer > Shaw Industries > > > > *"Scott Battaglia" <[EMAIL PROTECTED]<[EMAIL PROTECTED]> > *>* > Sent by: [EMAIL PROTECTED] <[EMAIL PROTECTED]> > > 07/31/2008 03:55 PM > Please respond to > > Yale CAS mailing list <[EMAIL PROTECTED] <[email protected]>> > > To > "Yale CAS mailing list" <[EMAIL PROTECTED] <[email protected]>> cc > Subject > Re: LDAP fastbind + non-anonymous principal lookup - again > > > > > > > The validation of credentials and the eventual resolution to a principal > are two separate actions. > > Nothing precludes you from binding to a Context and retrieving attributes > you just don't do it in the AuthenticationHandler, which is used to > authenticate that the provided credentials are valid. > > If you try and do stuff in the wrong section of course its going to feel > like a hack. Take a look at the CredentialsToPrincipalResolver which you'll > notice actually returns a Principal whereas the AuthenticationHandler merely > returns true or false. > > -Scott > > -Scott Battaglia > PGP Public Key Id: 0x383733AA > LinkedIn: > *http://www.linkedin.com/in/scottbattaglia*<http://www.linkedin.com/in/scottbattaglia> > > > On Thu, Jul 31, 2008 at 3:48 PM, <[EMAIL PROTECTED]<[EMAIL PROTECTED]>> > wrote: > > I have to pose a question that my colleagues and I have been asking each > other for a few days now: > > If you have user-provided credentials that authenticate against a > directory, why _wouldn't_ you use them for principal lookup and attribute > retrieval? Just by default? I'm not trying to be smarmy here. I'd really > like to understand this from an architectural standpoint. > > Also, it _looks_ like an easy way out in FastBindLdapAuthenticationHandler > (or some variation thereof) to set the user's credentials into the > Context's UserDn and Password. It works like a champ, but it _feels_ like a > bad idea. > > I'm only setting the credentials into the Context after successful login > and I'm resetting them to empty string at the top of the > authenticateUsernamePasswordInternal routine to minimize the chance that > userB could ride userA's coattails into the system. But I have a lingering > sense of doubt. > > Thoughts? Please? I'm looking for an elegant way to handle this, but what > I've come up with feels like a hack. > > > Thanks, > Ann > > ------ > G. Ann Campbell > Systems Engineer > Shaw Industries > > ********************************************************** > Privileged and/or confidential information may be contained in this > message. If you are not the addressee indicated in this message (or are not > responsible for delivery of this message to that person) , you may not copy > or deliver this message to anyone. In such case, you should destroy this > message and notify the sender by reply e-mail. > If you or your employer do not consent to Internet e-mail for messages of > this kind, please advise the sender. > Shaw Industries does not provide or endorse any opinions, conclusions or > other information in this message that do not relate to the official > business of the company or its subsidiaries. > ********************************************************** > > > _______________________________________________ > Yale CAS mailing list* > [EMAIL PROTECTED] <[email protected]>* > **http://tp.its.yale.edu/mailman/listinfo/cas*<http://tp.its.yale.edu/mailman/listinfo/cas> > > _______________________________________________ > Yale CAS mailing list* > [EMAIL PROTECTED] <[email protected]>* > **http://tp.its.yale.edu/mailman/listinfo/cas*<http://tp.its.yale.edu/mailman/listinfo/cas> > > ********************************************************** > Privileged and/or confidential information may be contained in this > message. If you are not the addressee indicated in this message (or are not > responsible for delivery of this message to that person) , you may not copy > or deliver this message to anyone. In such case, you should destroy this > message and notify the sender by reply e-mail. > If you or your employer do not consent to Internet e-mail for messages of > this kind, please advise the sender. > Shaw Industries does not provide or endorse any opinions, conclusions or > other information in this message that do not relate to the official > business of the company or its subsidiaries. > ********************************************************** > > > _______________________________________________ > Yale CAS mailing list* > [EMAIL PROTECTED] <[email protected]>* > **http://tp.its.yale.edu/mailman/listinfo/cas*<http://tp.its.yale.edu/mailman/listinfo/cas> > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > ********************************************************** > Privileged and/or confidential information may be contained in this message. > If you are not the addressee indicated in this message (or are not > responsible for delivery of this message to that person) , you may not copy > or deliver this message to anyone. In such case, you should destroy this > message and notify the sender by reply e-mail. > If you or your employer do not consent to Internet e-mail for messages of > this kind, please advise the sender. > Shaw Industries does not provide or endorse any opinions, conclusions or > other information in this message that do not relate to the official business > of the company or its subsidiaries. > ********************************************************** > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
