On Jul 5, 2007, at 5:44 PM, David Jencks wrote:
I'd like to modify the use of the openejb AuthenticationRequest to include a security realm name. Then we can use the openejb authentication request protocol to request an identification token from the server and put it in the client subject so calls to openejb can use it.
This would be fine. Alternatively you can do like is done behind the scenes in windows for example and concatenate the domain (realm) onto the user name then pull them apart on the server side.
Generally the contents of AuthenticationRequest bothers me as it's the only place in our protocol where we force a username/password paradigm. The rest of the protocol including AuthenticationResponse simply passes back Object which only needs to be understood by the SecurityService impl that created it and possibly by the IdentityResolver but is guaranteed not to be introspected upon anywhere else.
I couldn't think of a way to open that up without too many more moving parts in the security setup so I just left it simply hardcoded to user/pass. Would like to fix that someday.
-David
