You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "Rory Douglas (JIRA)" <ji...@apache.org> on 2008/08/19 17:11:44 UTC
[jira] Created: (JCR-1719) Make the extraction of Session UserIDs
from Subjects configurable
Make the extraction of Session UserIDs from Subjects configurable
-----------------------------------------------------------------
Key: JCR-1719
URL: https://issues.apache.org/jira/browse/JCR-1719
Project: Jackrabbit
Issue Type: New Feature
Components: jackrabbit-core, security
Affects Versions: core 1.4.5, 1.5
Reporter: Rory Douglas
Priority: Minor
The SessionImpl class must extract a string name from the Prinicpals in a Subject to use as the Session userID. In 1.4 the SessionImpl class directly selects the first available Principal. In 1.5, this is delegated to the SecurityManager, which chooses the first non-group principal.
It would be useful to be able to configure specific selection criteria for the Principal used for the Session userID. A simple mechanism would involve specifying a Principal implementation classname in the configuration, and the first instance of that class found in the Subject would be used for the userID. One way to implement this in 1.4 would be to extend AuthContext to include a method getSessionPrincipal() which encapsulates the selection logic, and adding an option the LoginModuleConfig to specify the class name of the Principal to select.
A particular use case is using the LDAP LoginModule from Sun JDK 6 with the repository. The first Principal LdapLoginModule populates into the Subject is an instance of LdapPrincipal, which renders the userID as the full DN of the user. The LoginModule also adds an instance of UserPrincipal, whose name is the simple username/uid attribute, which would be more appropriate as the Session userId since it corresponds to the username provided by the user to application authentication mechanisms (the provided username is expanded into the full DN prior to authentication by the login module). If the above configuration mechanism were available, one could configure the LdapLoginModule, and specify that the userID be extracted from the first instance of com.sun.security.auth.UserPrincipal. Since rewriting LoginModules is not always possible or desirable, this change would enable the stable integration of 3rd-party login modules that may populate the Subject with several principals
.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (JCR-1719) Make the extraction of Session UserIDs
from Subjects configurable
Posted by "angela (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-1719?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
angela resolved JCR-1719.
-------------------------
Resolution: Fixed
Fix Version/s: 2.0.0
revision 828791
extended securitymanagerconfiguration to specify a class that should be used to retrieve the
userid from. if such a principal is present in the subject it's name will be used as userID otherwise
the current (fallback) scenarios are used.
> Make the extraction of Session UserIDs from Subjects configurable
> -----------------------------------------------------------------
>
> Key: JCR-1719
> URL: https://issues.apache.org/jira/browse/JCR-1719
> Project: Jackrabbit Content Repository
> Issue Type: New Feature
> Components: jackrabbit-core, security
> Affects Versions: core 1.4.5, 1.5.0
> Reporter: Rory Douglas
> Priority: Minor
> Fix For: 2.0.0
>
>
> The SessionImpl class must extract a string name from the Prinicpals in a Subject to use as the Session userID. In 1.4 the SessionImpl class directly selects the first available Principal. In 1.5, this is delegated to the SecurityManager, which chooses the first non-group principal.
> It would be useful to be able to configure specific selection criteria for the Principal used for the Session userID. A simple mechanism would involve specifying a Principal implementation classname in the configuration, and the first instance of that class found in the Subject would be used for the userID. One way to implement this in 1.4 would be to extend AuthContext to include a method getSessionPrincipal() which encapsulates the selection logic, and adding an option the LoginModuleConfig to specify the class name of the Principal to select.
> A particular use case is using the LDAP LoginModule from Sun JDK 6 with the repository. The first Principal LdapLoginModule populates into the Subject is an instance of LdapPrincipal, which renders the userID as the full DN of the user. The LoginModule also adds an instance of UserPrincipal, whose name is the simple username/uid attribute, which would be more appropriate as the Session userId since it corresponds to the username provided by the user to application authentication mechanisms (the provided username is expanded into the full DN prior to authentication by the login module). If the above configuration mechanism were available, one could configure the LdapLoginModule, and specify that the userID be extracted from the first instance of com.sun.security.auth.UserPrincipal. Since rewriting LoginModules is not always possible or desirable, this change would enable the stable integration of 3rd-party login modules that may populate the Subject with several principa
ls.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.