I'm still a bit confused about two aspects. 1) How to designate the authenticated user and groups to the container, and 2) matching previously authenticated Principals to subsequent requests.
1)
The client Subject passed to validateRequest() is the Subject the container will use to authorize the resource in this particular request. So rather than do this:
clientSubject.getPrincipals().add( principal );
the authenticated Principal should be specified to the container like this:
CallerPrincipalCallback cpCallback = new CallerPrincipalCallback( clientSubject, principal );
Then to specify the group membership of the authenticated Principal, something akin to this code is required:
GroupPrincipalCallback gpCallback = new GroupPrincipalCallback( clientSubject, new String[] { "group1", "group" } );
CallBackHandler.handle( new Callback[]{ cpCallback, gpCallback } );
Is this correct? If so, what is the purpose of the container passing the client and server Subjects to the SAM? In what cases should/would a SAM modify these Subjects? Could the SAM, for instance, replace the container-specified, client Subject with a custom Subject? (e.g. CallerPrincipalCallback cpCallback = new CallerPrincipalCallback( myCustomSubject, principal ); )
2)
The SAM can(should?) use the container's session storage to cache previously authenticated Principals? On subsequent requests the SAM could obtain the previously authenticated user Principal and groups from the container's session mechanism and specify these to the container?
Thanks again for your help,
Andrew
[Message sent by forum member 'andrewlaughlin']
http://forums.java.net/jive/thread.jspa?messageID=393564