Subjects should be re-used
--------------------------
Key: CLEREZZA-494
URL: https://issues.apache.org/jira/browse/CLEREZZA-494
Project: Clerezza
Issue Type: Improvement
Reporter: Henry Story
With WebID a number of things need to be looked at that don't appear obvious
when one is dealing with simple and cookie auth. This in fact also applies to
OpenId authentication. One of these is that one can have a number of Principals
in one WebID authentication, since an X509 cert could contain two webids or
even an email address.
But it also the case that someone who authentified themselves with WebID may
later also use a password, as an additional method of authentication.
So it seems to me that the Subject should be passed along at all stages of
authentification. The following article on JBoss Subject usage shows quite
clearly that this is the purpose of the Subject.
http://oatv.com/pub/a/onjava/excerpt/weblogic_chap17/index1.html?page=5
It will also be very useful as the Subject can gather credentials, both those
that succeeded and those that failed in order to help explain why there were
failures in a web interface. So in the case of WebID test suite we would like
to pass the X509Claims as credentials to an explanatory page, so that one can
explain to the user why the claims failed. The same will be true in an OpenID
claim: it will help to the let the user know that his OpenId provider is down
at the moment, so that he can be properly redirected.
The changes to get this to work are quite small, but it will require some
thinking things through. But both OpenId support and WebId suport will require
some of this thinking to occur.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
