If this turns out to be a complaint at the way the JNDI CP is leaving the underlying connection in an incorect authZ state when authenticating with AuthNSelfIssuedMaterials, I entered this defect: https://bugs.eclipse.org/bugs/show_bug.cgi?id=211945
I thought we had already entered it (we've talked about it a number of times), but it looks like we didn't get around to it.
Jim
>>> "Sergey Lyakhov" <slyakhov@xxxxxxxxxxxxxx> 12/04/07 11:50 AM >>> Jim,
It seems current implementation of authentication in IdAS (as JNDI CP as Jena CP) using AuthNSelfIssuedMaterials credantials has some weakness. When user gets a managed card with self-issued token credential type, we open IdAS context by the user's username/password credential, and store the PPID value of self-issued card as "cardKeyHash" attribute value of DigitalSubject (where profile data is stored). So, we are storing "PPID" credential data as user data. Then, when we perform PPID-based authentication, we open IdAS context using some credentials (not related to the owner of required profile), and select DigitalSubject (profile) by "cardKeyHash" attribute. Really it does not look like the right implementation of PPID-based authentication. I suppose we need to add to IdAS interfaces the ability to manage IdAS user accounts and support of multi-credential authentication.
Maybe there is some sence to make the following changes:
1. Add a new interface IUserAccount with methods: a) getCredentials() - return all credentials of the user which can be used by this user for authentication in the Context; b) getCredentialByType(credentialType); c) addCredential() - add a new credential (like username/password credential); c) removeCredential();
2. Add to IContext the following methods: a) getSupportedCredentialTypes();
b) buildCredential(credentialType); c) createUserAccount(); d) removeUserAccount(); e) getUserAccounts(); f) getUserAccount(credential);
3. Change IContext.open(Object credentials) to return an instance of IUserAccount instead of ID of "default" DigitalSubject.
4. Also we propose to add role-based authorization mechanism in such a way: a) extend IUserAccount with methods setRole() - assign the Role to the User getRoles() - get all the Roles which user has been assigned b) extend IContext with methods createUserRole() deleteUserRole() getUserRoles() getUserAccountsByRole() c) extend IDigitalSubject with methods setPermission(permissions, roles); clearPermission(permissions); or IContext with same methods setPermissions(subjectId, permissions, roles); clearPermissions(subjectId, permissions, roles); permissions - read/modify/delete etc.
Thanks, Sergey Lyakhov
|