Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[higgins-dev] Re: App and end-user credential handling in idas

Sorry this is so late, I replied twice earlier and they both got lost.


Today, the API only allows one authenticated identity to be associated with an IContext instance at a time.  You could call IContext.open for the application, perform some tasks, then call IContext.close followed by IContext.open for the user, perform some other tasks, then IContext.close and IContext.open again as the application.  Last time this was discussed at length was Aug 2006.


BTW, the way proxy authorization works is a bit different from the way it's describe below.  With ProxyAuth, one authenticates as an identity which is allowed to perform proxy operations.  Then one passes the identity (sans credentials) that it is acting on behalf of when performing an operation.


Anyway, this seems like another area that would benefit from an API extensibility mechanism.  We need to provide a way for this use case to be handled without adding yet another argument to every method out there.


Jim

>>> Phil Hunt <phil.hunt@xxxxxxxxxx> 01/08/08 1:27 PM >>>
Jim,


I was looking over the IdAS api and in particular exploring the JNDI test module. Is it possible to pass both the credential of the application as well as the credential of the user of the application. I notice that IdAS seems to work by using context.open(cred) to authenticate and process operations based on a particular credential.


Ideally, I'm looking for a way to have both an application credential and a user credential used through the API. So for example, context.open might be used to open a session context for a particular application. But a getSubjectAs call might be used to also pass an end-user credential in addition to the application credential authenticated via context.open. In the case of the JNDI CP it could use the ProxyAuth control to pass the app and the user credential to the LDAP server.


Thanks,


Phil Hunt

Oracle




Back to the top