portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Liao <jian.l...@gmail.com>
Subject About Jetspeed 2 Security Documentation
Date Mon, 22 Aug 2005 09:11:04 GMT
Hi david and all,
I finally got some time for j2 from now on. 
I have read all your security documentation. For the chapter --
Architecture Overview(http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/arch.html),
I have a little question. In this chapter, the following are the
original text: " Authentication establishes the identity of the user
and populates the Subject with all the user principals. In a portal
context, the populated Subject is added to the session in the
org.apache.jetspeed.security.SecurityValve implementation."

I think we should make it clearer here, the subject object in the
portal context are not the original one which is populated by the
LoginContext.login() (I have ever raised a issue for this problem --
http://issues.apache.org/jira/browse/JS2-238). So, that is to say,
user a can plug-in their own JAAS Login Module by configurate the
login.conf, but just for a verify. Any action like add a credential to
subject's public or private credential set in user's own Login Module
is meanless, cause the subject object populated by
LoginContext.login() method will be just abandoned after the JAAS
authentication.

Does it make sense?

- James Liao

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message