> Forgive me, I stand corrected. I missed the following lines in > LDAPAuthentication.java: > > // Store the clear-text password to session if some of the // > portlets need it (for example to single-signon functionality) > user.setTemp( "sessionPassword", password ); > > This works perfectly now and is exactly what I was looking for.
That was a temporary "kludge" that I added to the LDAP implementation few months ago (because we needed the single sign-on functionality as well). Unfortunately, this line of code is not present in the database-based authentication code, and thus the two security implementations (LDAP/DB) are not symmetric (which I consider to be a very bad thing). In this case, your single sign-on portlet wouldn't work with database-based security model. I'm not sure if putting the clear-text password in user's session is a security risk in the scope of Jetspeed portal. If it is, the above line of code must be removed. If it is not considered to be a security risk, I would suggest adding similar functionality to database-based security implementation as well. The correct way to achieve this would propably be to introduce a getClearTextPassword() method in the JetspeedUser interface. For us the single sing-on functionality is very crucial, and therefore I think that the issue should be addressed. Regards, Sami -- Sami Leino Software Developer, Netorek Oy, Turku, Finland Email: [EMAIL PROTECTED] Phone: +358 44 0140499 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
