On Wednesday, January 7, 2004, at 05:22 AM, Alan D. Cabrera wrote:
<snip>
I'm moving my Geronimo code to Nova. I'll check it in tonight. For the
moment, you are correct in that the way to get this is
ContextManager.peekContext().getSubject().
I'm hoping this move is only for the most nova-ejb-specific parts of the security framework? I'd like to eventually have a similar level of security on mbean calls, and I think most of the framework could be reused.
In particular, I would like Geronimo itself to have context frameworks for transactions, target instances (such as the ejb instance object) and security. These can be used or extended by containers deployed in Geronimo, such as Nova, Jetty, etc.
<snip>
dbWell, to make what I'm saying concrete, if you want to log into thetheusing the same user/pw as you logged into the app with, you needit'spassword you logged into the app with to be available. Right nowInot saved in the Subject filled in by either example LoginModule.bethink they should be.
If I have the user/pw from one realm, how useful would the passwordcertin the target realm? The only thing I can think of is a mapping aato a cert who's expiration is no more than the original cert.
The connector spec mentions credential mapping but I don't really seespecific case there. However, the very simple case I mentioned requires the Subject to have the original login password available, so it can be used to log into the database.
How about a CallbackHandler, created by the LoginModuleWrapper, that intercepts the credentials and places them in the subject, RealmCredential(realmName, callback)?
I don't understand what you have in mind here. If the credential supplied happens to be a password credential, a wrapping CallbackHandler could find the PasswordCallback(s). I have never seen a certificate based login system, or Kerberos, but I'd imagine they would use a custom Callback object that a generic wrapper could not detect. What am I missing?
Is there some reason not to have a LoginModule put the credentials used to authenticate into the Subject? It looks to me as if the Subject at least is designed to hold these credentials. On the other hand, I compared the JBoss login modules and they don't store the credentials either.
Thanks, david jencks
Regards, Alan
