| [higgins-dev] Identity for IContext.open |
|
This issue has come up in the past, and now that we've started implementing it, it seems like a good time to resolve it.
IContext.open(Object identity) uses the passed identity to open and authenticate the context (typically to a backing identity store).
An IdAS consumer has no way of knowing what kinds of objects should or may be passed to a context it is trying to open, unless it has some kind of intimate knowledge of the context implementation.
Here's an snippet from the sample code I sent to assist in STS to IdAS integration:
import org.bandit.higgins.cp.jndi.BasicUsernamePasswordIdentity;
... context.open(new BasicUsernamePasswordIdentity(_username, _password));
How did the caller know to use a "BasicUsernamePasswordIdentity"? Only because he knew exactly what kind of context he was dealing with. And note the import statement. I know we don't intend to require this level of intimate CP knowledge on the part of IdAS consumers.
I think it would be good if we:
* defined an authIdentity interface or used something like javax.security.auth.Subject, or org.eclipse.ecf.core.ientity.ID as the base type for IContext.open
* Implemented a few basic auth classes in IdAS
* Provided a way for consumers of IContext to interrogate the supported auth identity object types supported by that context.
Where we left this thread last time was a lukewarm agreement that the third bullet above was to be done via the context's policy. Note that IContext doesn't have policy, only IContextFactory (can be remedied if needed). Or does it belong as some standardized Context metadata?
I'm open to suggestions -- if none are given, I propose a refinement of my three bullets.
Jim
|