currently AuthenticationMethod.authenticate(Request request) returns String
It would make more sense if it could return a Subject [1]. This would allow
the object returned to be a lot richer. For example
(a) A Subject can contain a number of credentials and a number of
Principals. Each principal would
be a WebID. Some WebIDs might take time to be verified, so they could
appear in the Subject at a
later time.
(b) A Subject can also contain credentials. In fact X509 certificates should
be the prototypical public credential.
(c) Credentials can be any object, but clearly one could wrap an
X509certificate with an isCurrent() method to test if the certificate is still
valid. It would also allow X509certs to be destroyed, which could then perhaps
throw TLS exceptions... to be looked into.
Question: How does TLS authentication relate to the LoginContext? It seems that
it works for Kerberos
http://download.oracle.com/javase/6/docs/technotes/guides/security/jgss/tutorials/AcnOnly.html
Henry
[1]
http://download.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html#Subject
Social Web Architect
http://bblfish.net/
