On Fri, Sep 12, 2008 at 6:05 AM, Rickard Öberg <[EMAIL PROTECTED]>wrote:
> Richard Wallace wrote: > > I'm getting to a point where I'm going to need to add some good ole > > authentication and authorization to my app. I've been looking over > > what's in the auth library and it looks pretty good so far. It's nice > > and simple and will definitely handle my needs. That is, at the > > authorization part will. There doesn't seem to really have been > > anything done on the Authentication side of things. I'm more than > > willing to write the required servlet filters for username and password > > based authentication along with remember me support. I just need a bit > > of help in figuring one particular bit out. > > > > I've been trying to figure out where to put the logged in user > > information. At first I was thinking of just creating a thread local > > and stuffing the User object in there. But then I noticed the > > UserPrincipal class and looked for places where it was being used. That > > lead me to the RequiresPermission annotation. The way it finds the > > authenticated user is by getting the UserPrincipal of the Subject. The > > part I'm struggling with is how to get that Subject populated. I'm > > somewhat familiar with JAAS, but I'd rather not have to use it if I > > don't have to. > > Are you asking how to set the Subject? If so, just read the JAAS guide > here: > > http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/JAASRefGuide.html#Subject > > Basically calling doAs() with an action that does what you want, which > in the servlet filter case is to call next on the chain. > Ah ok. Like I said, I'm somewhat familiar with JAAS, but it has been a while. > > I've implemented filters that implement JAAS in SiteVision, and it works > but is sort of cludgy since JAAS was not meant for request/response > oriented systems. I can't think of any better API to use though is the > problem. Any suggestions are welcome. We could go for our own API as > well, and just have implementation that delegates to JAAS if one wants to. > Ya, I'm not a fan of the kludgyness of using JAAS and the callback handlers in a web environment. Being able to use all the different LoginModules would be nice for some people, I'm sure, but it's not a huge requirement of mine at the moment. I definitely think having our own API is probably the way to go. I'll see if I can work on something in the next few weeks (maybe this weekend, but I can't promise anything ;). Rich
_______________________________________________ qi4j-dev mailing list [email protected] http://lists.ops4j.org/mailman/listinfo/qi4j-dev
