New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ELY-515] ServerAuthenticationContext rework #426
Conversation
(Wasn't able to add a comment directly on SAC since the diff for that file is too large to be shown, so am commenting here.) It looks like the following two lines in SAC#assignName are in the wrong order - the post-realm NameRewriters should get applied after the realm has been selected. |
Ah you're right, good catch. I copy-pasted that bit in pieces, must have scrambled it. |
Just noticed the order also needs to be fixed in ActiveState#authorize: |
Hmm I forgot to change that one to create an intermedate NameAssignedState. I better look at that more closely... |
I'm also going to make changes so that realm identities are disposed in finally blocks where appropriate. |
Added one missing commit: UnassignedState.authorize() didn't check for anonymous. |
Actually I'm going to update it though, to support non-required login permission checking for anonymous identities. |
Added a commit which shrinks the IdentityPropagationTestCase by using the importIdentity method directly. |
…better identity selection
…realm implementations
…rtAuthenticationMechanism to use it
…ty(SecurityIdentity) method
The checks disappeared so I fired off a new run. |
* | ||
* @author <a href="mailto:david.lloyd@redhat.com">David M. Lloyd</a> | ||
*/ | ||
public final class IdentityLocator { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is 'Locator' really a good name here? To me locator gives the impression that it does something but from what I can see it is more a container for three optional values that can be used to obtain the realm identity.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just so named because it "locates" the RealmIdentity. I'm open to suggestions though.
The one point really leaving me with questions is the IdentityLocator - I have mentioned some notes in the PR but thinking - are we sure it needs a name and a principal? We only seem to set the Principal in two locations, verifyEvidence where it is extracted from the evidence - but the evidence is contained within the IdentityLocator anyway. Secondly in assignName but now we end up with two different values to locate the RealmIdentity. Two other comments about SAC. Secondly we need a strategy around trace logging to diagnose issues, either we need a lot more in the code or if we don't want to do this possibly ensure something like ByteMan can capture enough information. |
+1, additional documentation of SAC and its states would be good (especially a state diagram). |
I'm working on documentation. I want to have some visual diagrams if possible; what I'm working out right now is whether there is a way that the diagrams can be generated, so that we can source-revision them without dealing in binary blobs, and so that we can update them seamlessly without worrying too much about tools going out of date. Trace logging is a good idea. I can add a good deal around that. |
…e its builder to conform to convention
…nor behavioral tweaks to conform to the documentation)
No description provided.