[ https://issues.apache.org/jira/browse/GERONIMO-2687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12516231 ]
David Jencks commented on GERONIMO-2687: ---------------------------------------- In rev 560767 (trunk) and rev 560772 (2.0) I changed the name in the security element from credential-store to credential-store-ref so we can more easily embed a credential store configuration in the security config. I also eliminated an xml nesting level. > All "default" Subjects should be obtained by logging in to a realm, not > constructed explicitly > ---------------------------------------------------------------------------------------------- > > Key: GERONIMO-2687 > URL: https://issues.apache.org/jira/browse/GERONIMO-2687 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: security > Affects Versions: 2.0-M5 > Reporter: David Jencks > Assignee: David Jencks > Fix For: 2.0-M7 > > > We have several places where we just construct a Subject for a default > principal or some such. This ties us to some very restrictive assumptions > about what a principal is that are incompatible with e.g. triplesec. Also it > separates security management into maintaining the login backing store (e.g. > ldap) and maintaining the deployment plan. > Instead, all these subjects should be obtained by logging into a realm. To > do this we need way to supply the appropriate credentials. > I'm thinking of an interface > public interface CredentialStore { > Subject getSubject(String realm, String id) throws LoginException; > } > that appropriate bits can use to get the subject they need. The normal > implementation can store credentials for the ids and log in to the realm > indicated. We can have a backwards-compatible implementation that constructs > the subject as is done currently. > Even better would be to have this accessible only through having some > permissions. However this would require starting the server to require > credentials. I'm not sure how to implement that or if it would have > widespread support. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.