On 07/02/11 4:41 PM, Kumar.Jayanti wrote:
> On 07/02/11 4:35 PM, Marvan Spagnolo wrote:
>> Hi all,
>>
>> in the company I work for we've a project where we setup Glassfish
>> with a custom realm and a custom login module.
>> So far, we have more or less followed what is highlighted in the
>> "Oracle Glassfish Server 3.0.1 Application Development Guide"
>> in the section "Realm Configuration", thus we've overridden the
>> authenticate() method while extending AppservPasswordLoginModule
>> (and provided also our custom realm).
>>
>> What I would like to do now is to provide a custom class implementing
>> Principal and setting in the subject those custom principals upon
>> successful authentication.
>>
>> I've read in the guide mentioned above that I should never override
>> the commit method, yet it seems the only possible way to insert
>> custom principals in the subject, especially when I then read in the
>> javadoc of the public method AppservPasswordLoginModule#getSubject()
>> the following:
>>
>> [...]
>> A custom login module could overwrite commit() method, and call
>> getSubject()
>> to get subject being authenticated inside its commit(). Custom
>> principal then can be added to subject.
>> [...]
>>
>> So the code seems to be negating what the guide says, I am inclined
>> to follow what is suggested in the code, but what do you people think ?
>> What is the best practice for setting custom principals in a custom
>> realm scenario ?
> You could do that. But be aware that the Custom Principal will not be
> used by the container Authorization framework. Is that fine for your
> usecase ?.
>
We had a planned item SEC-011 that we did not address in V3.1. It will
be a candidate for V3.2.
http://wikis.sun.com/display/GlassFish/3.1NewSecurityFeatures
regards,
kumar
>>
>> Thanks in advance,
>>
>> Reza Marvan Spagnolo
>>
>