Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 46221 invoked from network); 9 Jun 2007 17:52:50 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 9 Jun 2007 17:52:50 -0000 Received: (qmail 87042 invoked by uid 500); 9 Jun 2007 17:52:51 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 86979 invoked by uid 500); 9 Jun 2007 17:52:50 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 86968 invoked by uid 99); 9 Jun 2007 17:52:50 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 09 Jun 2007 10:52:50 -0700 X-ASF-Spam-Status: No, hits=-100.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 09 Jun 2007 10:52:46 -0700 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id F0D457141E8 for ; Sat, 9 Jun 2007 10:52:25 -0700 (PDT) Message-ID: <10278257.1181411545940.JavaMail.jira@brutus> Date: Sat, 9 Jun 2007 10:52:25 -0700 (PDT) From: "David Jencks (JIRA)" To: dev@geronimo.apache.org Subject: [jira] Closed: (GERONIMO-2687) All "default" Subjects should be obtained by logging in to a realm, not constructed explicitly In-Reply-To: <15218828.1167775707732.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/GERONIMO-2687?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] David Jencks closed GERONIMO-2687. ---------------------------------- Resolution: Fixed Fix Version/s: 2.0-M7 Rev 545781. This is big change and most likely has caused other problems, lets deal with them in other jiras Other changes in this commit: - new server-security-config module to hold the security stuff you want to change, whereas the j2ee-security module holds the stuff you probably don't want to change (including all the classes). This makes it easier to swap out the configuration for something for your instalation. - fixes a lot of security bugs I've lost track of. One notable one is mdb run-as handling which wasn't working at all. > All "default" Subjects should be obtained by logging in to a realm, not constructed explicitly > ---------------------------------------------------------------------------------------------- > > Key: GERONIMO-2687 > URL: https://issues.apache.org/jira/browse/GERONIMO-2687 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: security > Affects Versions: 2.0-M5 > Reporter: David Jencks > Assignee: David Jencks > Fix For: 2.0-M7 > > > We have several places where we just construct a Subject for a default principal or some such. This ties us to some very restrictive assumptions about what a principal is that are incompatible with e.g. triplesec. Also it separates security management into maintaining the login backing store (e.g. ldap) and maintaining the deployment plan. > Instead, all these subjects should be obtained by logging into a realm. To do this we need way to supply the appropriate credentials. > I'm thinking of an interface > public interface CredentialStore { > Subject getSubject(String realm, String id) throws LoginException; > } > that appropriate bits can use to get the subject they need. The normal implementation can store credentials for the ids and log in to the realm indicated. We can have a backwards-compatible implementation that constructs the subject as is done currently. > Even better would be to have this accessible only through having some permissions. However this would require starting the server to require credentials. I'm not sure how to implement that or if it would have widespread support. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.