Richard Wallace wrote: > I'm getting to a point where I'm going to need to add some good ole > authentication and authorization to my app. I've been looking over > what's in the auth library and it looks pretty good so far. It's nice > and simple and will definitely handle my needs. That is, at the > authorization part will. There doesn't seem to really have been > anything done on the Authentication side of things. I'm more than > willing to write the required servlet filters for username and password > based authentication along with remember me support. I just need a bit > of help in figuring one particular bit out. > > I've been trying to figure out where to put the logged in user > information. At first I was thinking of just creating a thread local > and stuffing the User object in there. But then I noticed the > UserPrincipal class and looked for places where it was being used. That > lead me to the RequiresPermission annotation. The way it finds the > authenticated user is by getting the UserPrincipal of the Subject. The > part I'm struggling with is how to get that Subject populated. I'm > somewhat familiar with JAAS, but I'd rather not have to use it if I > don't have to.
Are you asking how to set the Subject? If so, just read the JAAS guide here: http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/JAASRefGuide.html#Subject Basically calling doAs() with an action that does what you want, which in the servlet filter case is to call next on the chain. I've implemented filters that implement JAAS in SiteVision, and it works but is sort of cludgy since JAAS was not meant for request/response oriented systems. I can't think of any better API to use though is the problem. Any suggestions are welcome. We could go for our own API as well, and just have implementation that delegates to JAAS if one wants to. /Rickard _______________________________________________ qi4j-dev mailing list [email protected] http://lists.ops4j.org/mailman/listinfo/qi4j-dev
