Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 26799 invoked from network); 3 May 2005 04:12:27 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 3 May 2005 04:12:27 -0000 Received: (qmail 14835 invoked by uid 500); 3 May 2005 04:13:50 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 14534 invoked by uid 500); 3 May 2005 04:13:38 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 14194 invoked by uid 99); 3 May 2005 04:13:26 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from mail.vergenet.com (HELO mail.vergenet.com) (216.140.187.25) by apache.org (qpsmtpd/0.28) with ESMTP; Mon, 02 May 2005 21:13:26 -0700 Received: from endi (unknown [192.168.0.51]) by mail.vergenet.com (Postfix) with ESMTP id 6882513FF4 for ; Mon, 2 May 2005 22:51:48 -0500 (CDT) From: "Endi Sukma Dewata" To: "'Apache Directory Developers List'" Subject: RE: Access to LdapPrincipal constructor Date: Mon, 2 May 2005 23:11:26 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: <4272F8C1.3040606@bellsouth.net> Thread-Index: AcVNMGK5VYLelUI2S4mfiSUiZ7z/ygCZJCwg X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181 Message-Id: <20050503035148.6882513FF4@mail.vergenet.com> X-Virus-Checked: Checked X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Hi Alex, How about adding a protected method in the AbstractAuthenticator that creates the LdapPrincipal? This way the constructor can remain private, but the subclasses can still call this method to create the LdapPrincipal instance. This at least can be a temporary solution until we figure out a better way to do it. Thanks. -- Endi S. Dewata -----Original Message----- From: Alex Karasulu [mailto:aok123@bellsouth.net] Sent: Friday, April 29, 2005 10:17 PM To: Apache Directory Developers List Subject: Re: Access to LdapPrincipal constructor Alex Karasulu wrote: > Endi Sukma Dewata wrote: > >> Hi, >> >> >> >> I just found out that the access to LdapPrincipal constructor has >> been restricted to the package only. This is a problem because any >> custom Authenticator would need to create and return an LdapPrincipal >> object in the authenticate() method. See the example under Custom >> Authenticator: >> >> >> >> http://directory.apache.org/subprojects/apacheds/users/authentication.html. >> >> >> >> >> Is there a specific example where making the constructor publicly >> accessible would pose a security problem? Any suggestions on how to >> resolve this? Thanks a lot. >> > Ahh yeah I thought I confronted this at some point. I have to refresh > myself. Basically LdapPrincipal can only be created by the Auth > service you are right. This is for security reasons and the reason > while we keep it package friendly. I know I made some kind of changes > to accommodate a way for your Authenticators to be ok with this. > > Will post back in a bit.... Yah looks like my fix was to move the SimpleAuthenticator into the authn package where the LdapPrincipal is. Not very good if you want to write your own Authenticator is it. Even if you put your Authenticator impl into the authn package it should not be able to work unless you repackage the jars. Hmmm I really worry about making the LdapPrincipal constructor public. Gotta figure something out though. Alex