It sounds like to me you simply want to be able to get a principal with a meaningful name in application code through HttpServletRequest.getUserPrincipal. This is already supported through the CallerPrincipal mapping. The login module simply creates a java.security.acl.Group named "CallerPrincipal" that contains the java.security.Principal to be returned by the JBoss RealmMapping Principal getPrincipal(Principal principal) method. The principal as known in the security domain and that at the application level can be two different objects. I don't see any need for a mutable Principal.
xxxxxxxxxxxxxxxxxxxxxxxx Scott Stark Chief Technology Officer JBoss Group, LLC xxxxxxxxxxxxxxxxxxxxxxxx ----- Original Message ----- From: "Dawes, Phil" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, September 20, 2002 7:45 AM Subject: RE: [JBoss-dev] Re: [jetty-discuss] isValid() not a good fit for certs > Hi Greg, Hi Scott, > > Thanks for your replies. > > Unfortunately, unlike Jetty, JbossSX does require that the principal be the > same for each subsequent call into the security layer after the initial > auth, since JaasSecurityManager caches the subject information based on > principal. This means AFAIK I can't switch the principal to a different one > after the authenticate. > > <thinks> > Although I suppose Jetty could use a Principal which allowed the name to be > changed retrospectively without changing the hashcode - would this work?. > </thinks> > > > I ought to elaborate - the real problem for me is not thinking of a name for > a dummy principal to use. The real problem is that after authentication, the > application writers will want to get more information about the user other > than just the principal name. In order to do this we have a service which > returns information about the user when passed the authenticated principal. > This means that the principal name needs to be something sensible (currently > UserID in our weblogic setup). > > Weblogic has an api (like jetty's) which allows the principal to be created > after the authentication, thus allowing the realm to dictate what the > authenticated principal name is. > > How does this sound as a solution: > > - jetty ClientCertAuthenticator uses subjectDN, or failing that, > CertSerial&Issuer as the username (not important really) > > - The Jetty JbossUserRealm creates a principal which can have its name > changed without changing the object hashcode. > > - Realm calls isValid(principal, cert) > > - Home baked JAAS LoginModule authenticates certificate, and populates > active subject on commit. > > - Realm then sets the principal name to be that of the first principal in > the active subject. > > This means that the author of the JAAS login module can dictate what name of > the principal after the authentication has taken place, and the Jetty > JbossUserRealm is still pretty generic. > > Does this sound reasonable? > > Cheers, > > Phil ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
