directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <>
Subject Re: Access to LdapPrincipal constructor
Date Tue, 03 May 2005 14:14:32 GMT
Endi Sukma Dewata wrote:

>Hi Alex,
>How about adding a protected method in the AbstractAuthenticator that
>creates the LdapPrincipal? This way the constructor can remain private, but
>the subclasses can still call this method to create the LdapPrincipal
>instance. This at least can be a temporary solution until we figure out a
>better way to do it. Thanks.
Hmmmm.  So to create an LdapPrincipal all you need to do is extend it.  
I should have made it final.  This sounds like the same security 
problem.  But you are right we do need something temporary.  Making the 
constructor public is the same thing.  WDYT should I do this just for now?


>>Ahh yeah I thought I confronted this at some point.  I have to refresh 
>>myself.  Basically LdapPrincipal can only be created by the Auth 
>>service you are right.  This is for security reasons and the reason 
>>while we keep it package friendly.  I know I made some kind of changes 
>>to accommodate a way for your Authenticators to be ok with this.
>>Will post back in a bit....
>Yah looks like my fix was to move the SimpleAuthenticator into the authn 
>package where the LdapPrincipal is.  Not very good if you want to write 
>your own Authenticator is it.  Even if you put your Authenticator impl 
>into the authn package it should not be able to work unless you 
>repackage the jars.  Hmmm I really worry about making the LdapPrincipal 
>constructor public.  Gotta figure something out though.

View raw message