Shibboleth Developers

[Brent Putman <>]

On 11/30/10 4:58 PM, Paul Hethmon wrote:
> 
> 
> The data connector was already using the Session#getSubject path, so that
> was fine. It was my mucking with AuthenticationEngine that left only the new
> Principal from the PreviousSession handler in there.


Ok, I see.


> 
> Working on that part right now. I still have a need to only have a single
> Principal per user though. 


Do you mind if I ask why? The general JAAS model of a Subject containing
multiple Principals seems to me to be generally a valid one, especially
when you factor in the possibility of non-user-identifying Principals,
like groups, roles and entitlements and so forth.   And of course in the
IdP, you could have multiple user-identifying Principals by virtue
multiple authentications with distinct LoginHandlers (which I'm guessing
you assume away by using only your custom one).



> I can see a way to do it but it puts a dependency
> on my Shib build on my library. I haven't needed to do that with any tweaks
> or plugins yet, so I hate to introduce it.


The cleanest way (no code modifications) I can think to do this off-hand
would be just add a custom servlet filter that inspects the Session's
Subject, and fixes it up as needed.  Might want to add it after the
IdPSessionFilter so that you can then just access the Session as a
request attribute.