[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1032) Integration with JBoss SSO
Arthur Troyer (JIRA)
jira-events at lists.jboss.org
Fri May 11 11:35:52 EDT 2007
[ http://jira.jboss.com/jira/browse/JBSEAM-1032?page=comments#action_12362066 ]
Arthur Troyer commented on JBSEAM-1032:
As I see it. If the user has already been authenticated via an SSOSession, you do not need to call the loginContext.login() method. This addresses the problem of crossing systems/domains that may have different passwords. The assumption is that if the user has been authenticated by one of the trusted applications, he does not need to be authenticated again. You would just have to create the subject and populate it with the principle.
This leaves the issue of Authorization. If the JAAS login is supplying the roles, and you are not doing the login, these roles would not be present. One possible solution to this is to provide access to the principle and subject, in a protected (instead of private) way. Instead of calling the loginContext.login() routine, you would call a routine named "SSOProvideRoles". This routine would read the LDAP to get the roles. As an added feature, since you have made the principle and subject variables protected, a developer could extend the method and override this "SSOProvideRoles" method and populate the subject with the roles in whatever manner he desires.
> Integration with JBoss SSO
> Key: JBSEAM-1032
> URL: http://jira.jboss.com/jira/browse/JBSEAM-1032
> Project: JBoss Seam
> Issue Type: Feature Request
> Components: Security
> Affects Versions: 1.2.0.GA
> Reporter: Shane Bryzak
> Assigned To: Shane Bryzak
> We should provide integration of Seam Security with JBoss SSO.
This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues