geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <>
Subject [jira] Created: (GERONIMO-2687) All "default" Subjects should be obtained by logging in to a realm, not constructed explicitly
Date Tue, 02 Jan 2007 22:08:27 GMT
All "default" Subjects should be obtained by logging in to a realm, not constructed explicitly

                 Key: GERONIMO-2687
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: security
    Affects Versions: 2.0
            Reporter: David Jencks
         Assigned To: David Jencks

We have several places where we just construct a Subject for a default principal or some such.
 This ties us to some very restrictive assumptions about what a principal is that are incompatible
with e.g. triplesec.  Also it separates security management into maintaining the login backing
store (e.g. ldap) and maintaining the deployment plan. 

Instead, all these subjects should be obtained by logging into a realm.  To do this we need
way to supply the appropriate credentials.

I'm thinking of an interface

public interface CredentialStore {
    Subject getSubject(String realm, String id) throws LoginException;

that appropriate bits can use to get the subject they need.  The normal implementation can
store credentials for the ids and log in to the realm indicated.  We can have a backwards-compatible
implementation that constructs the subject as is done currently.

Even better would be to have this accessible only through having some permissions.  However
this would require starting the server to require credentials.  I'm not sure how to implement
that or if it would have widespread support.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:


View raw message