On Jul 6, 2007, at 10:15 AM, David Blevins wrote:
On Jul 5, 2007, at 5:44 PM, David Jencks wrote:
I'd like to modify the use of the openejb AuthenticationRequest
to include a security realm name. Then we can use the openejb
authentication request protocol to request an identification token
from the server and put it in the client subject so calls to
openejb can use it.
This would be fine. Alternatively you can do like is done behind
the scenes in windows for example and concatenate the domain
(realm) onto the user name then pull them apart on the server side.
Generally the contents of AuthenticationRequest bothers me as it's
the only place in our protocol where we force a username/password
paradigm. The rest of the protocol including
AuthenticationResponse simply passes back Object which only needs
to be understood by the SecurityService impl that created it and
possibly by the IdentityResolver but is guaranteed not to be
introspected upon anywhere else.
I couldn't think of a way to open that up without too many more
moving parts in the security setup so I just left it simply
hardcoded to user/pass. Would like to fix that someday.
Yes, me too. I'm still thinking about it.
I opened OPENEJB-605 and attached a patch with my proposed
modification. I think I can get all the tests to pass at once with
this plus some geronimo changes -- we'll see if I have time to attach
that patch before I jump on a plane.
thanks
david jencks
-David
