Where did the idea that a JNDI context provider only has one digital
subject come from? That is not the case. Once a context is open,
there are methods for obtaining/creating any number of digital subjects -
getSubject, addSubject. The subject ID returned by open is simply the
subject ID of the digital subject whose credentials were passed in.
There is no presumption that this is the one and only digital subject that
has to be retrieved or even will be retrieved.
As to information cards containing the subject ID, remember that
there is already a user credential specified in the card. The user
credential is what is passed to the STS to identify the digital subject
whose claims are to be retrieved. When the user credential type is
username/password, it is possible to actually use a single card to retrieve
claims for many digital subjects. I would recommend that subject
ID NOT be part of the card ID (if that is what is being proposed
here - it's not clear to me what is being proposed).
I have created an entire IdP using IdAS (see http://wag.bandit-project.org
It is a servlet coded in JSP and deployed on Tomcat. It is capable of
creating users (profiles), maintaining user profiles, issuing managed cards,
and issuing security tokens. It incorporates the higgins STS for
issuing security tokens. It happens to use the JNDI context provider,
but is not limited to it. It has been built using IdAS functionality
to keep it independent. The context provider is configurable, as are
many other things. There is a web interface for configuring and
administering it (the admin URL is http://wag.bandit-project.org/TokenService/admin.jsp
you would like, you can take a look at the code by downloading the tarball
at the following location:
The sts-1.0.654.tar.gz file contains all of the source.
Look in the *.jsp files to see how I use IdAS. We have built this
open source solution in the hopes that it would be helpful to others
who want to create an IdP that uses Higgins components.
>>> "Sergey Lyakhov"
<slyakhov@xxxxxxxxxxxxxx> 7/26/2007 7:01 AM
> Why do you think this is
According to IContext interface, IContext.open() method
can return ID of
DigitalSubject. It assumes, that each instance of
IContext contains exactly
one DigitalSubject (or some default subject).
But I think this is special
case of JNDI provider (one DigitalSubject
per Context), and we should not
accept this rule for all CPs. Context
should be able to contain more then
one DigitalSubject. So, I
1. Change the result type of IContext.open() from String to
2. If we need to get some DigitalSubject from the Context we
subjectID of required Subject. In other words, if we
need to get
DigitalSubject with claim values of some card, this card
should contain both
contextID and subjectID.
In case of JNDI CP,
empty string can be used as subjectID because this CP
always contain one
DigitalSubject per Context. In any case we need standard
way to get
DigitalSubject from Context.
Original Message -----
From: "Paul Trevithick"
To: "'Higgins (Trust Framework) Project
Thursday, July 26, 2007 12:12 AM
Subject: RE: [higgins-dev] STS profile
> Sergey wrote:
DigitalIdentityHandler is implemented to use the peculiarity of JNDI
>> each context contains single digital
subject and subject ID is returned
IContext.open() method. I think we should not use this
>> anywhere. Moreover, I think IContext.open() should
return nothing (void).
> Why do you think this is
> higgins-dev mailing