directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Endi Sukma Dewata" <>
Subject RE: Access to LdapPrincipal constructor
Date Tue, 03 May 2005 04:11:26 GMT
Hi Alex,

How about adding a protected method in the AbstractAuthenticator that
creates the LdapPrincipal? This way the constructor can remain private, but
the subclasses can still call this method to create the LdapPrincipal
instance. This at least can be a temporary solution until we figure out a
better way to do it. Thanks.

Endi S. Dewata

-----Original Message-----
From: Alex Karasulu [] 
Sent: Friday, April 29, 2005 10:17 PM
To: Apache Directory Developers List
Subject: Re: Access to LdapPrincipal constructor

Alex Karasulu wrote:

> Endi Sukma Dewata wrote:
>> Hi,
>> I just found out that the access to LdapPrincipal constructor has 
>> been restricted to the package only. This is a problem because any 
>> custom Authenticator would need to create and return an LdapPrincipal 
>> object in the authenticate() method. See the example under Custom 
>> Authenticator:
>> Is there a specific example where making the constructor publicly 
>> accessible would pose a security problem? Any suggestions on how to 
>> resolve this? Thanks a lot.
> Ahh yeah I thought I confronted this at some point.  I have to refresh 
> myself.  Basically LdapPrincipal can only be created by the Auth 
> service you are right.  This is for security reasons and the reason 
> while we keep it package friendly.  I know I made some kind of changes 
> to accommodate a way for your Authenticators to be ok with this.
> Will post back in a bit....

Yah looks like my fix was to move the SimpleAuthenticator into the authn 
package where the LdapPrincipal is.  Not very good if you want to write 
your own Authenticator is it.  Even if you put your Authenticator impl 
into the authn package it should not be able to work unless you 
repackage the jars.  Hmmm I really worry about making the LdapPrincipal 
constructor public.  Gotta figure something out though.


View raw message