directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <aok...@bellsouth.net>
Subject Re: Access to LdapPrincipal constructor
Date Sat, 30 Apr 2005 03:17:21 GMT
Alex Karasulu wrote:

> Endi Sukma Dewata wrote:
>
>> Hi,
>>
>>  
>>
>> I just found out that the access to LdapPrincipal constructor has 
>> been restricted to the package only. This is a problem because any 
>> custom Authenticator would need to create and return an LdapPrincipal 
>> object in the authenticate() method. See the example under Custom 
>> Authenticator:
>>
>>  
>>
>> http://directory.apache.org/subprojects/apacheds/users/authentication.html. 
>>
>>
>>  
>>
>> Is there a specific example where making the constructor publicly 
>> accessible would pose a security problem? Any suggestions on how to 
>> resolve this? Thanks a lot.
>>
> Ahh yeah I thought I confronted this at some point.  I have to refresh 
> myself.  Basically LdapPrincipal can only be created by the Auth 
> service you are right.  This is for security reasons and the reason 
> while we keep it package friendly.  I know I made some kind of changes 
> to accommodate a way for your Authenticators to be ok with this.
>
> Will post back in a bit....

Yah looks like my fix was to move the SimpleAuthenticator into the authn 
package where the LdapPrincipal is.  Not very good if you want to write 
your own Authenticator is it.  Even if you put your Authenticator impl 
into the authn package it should not be able to work unless you 
repackage the jars.  Hmmm I really worry about making the LdapPrincipal 
constructor public.  Gotta figure something out though.

Alex


Mime
View raw message