shibboleth-dev - Re: [Shib-Dev] Principals in Session
Subject: Shibboleth Developers
List archive
- From: Paul Hethmon <>
- To: Shibboleth Dev <>
- Subject: Re: [Shib-Dev] Principals in Session
- Date: Tue, 30 Nov 2010 20:26:34 -0500
On 11/30/10 6:09 PM, "Brent Putman"
<>
wrote:
>>
>> Working on that part right now. I still have a need to only have a single
>> Principal per user though.
>
>
> Do you mind if I ask why? The general JAAS model of a Subject containing
> multiple Principals seems to me to be generally a valid one, especially
> when you factor in the possibility of non-user-identifying Principals,
> like groups, roles and entitlements and so forth. And of course in the
> IdP, you could have multiple user-identifying Principals by virtue
> multiple authentications with distinct LoginHandlers (which I'm guessing
> you assume away by using only your custom one).
It may well be me not understanding the concept here. Since I am using a
custom login handler, there is at most one principal a user can resolve to.
I really don't understand the use case of having multiple principals to
represent a user. I can see the multiple login handlers, but it seems with
the exception of the IPAddress handler, that is would be likely for the
other "standard" handlers to resolve to the same Principal.
I suspect my use cases are just much simpler than what is needed in the
higher education arena.
>
>
>
>> I can see a way to do it but it puts a dependency
>> on my Shib build on my library. I haven't needed to do that with any tweaks
>> or plugins yet, so I hate to introduce it.
>
>
> The cleanest way (no code modifications) I can think to do this off-hand
> would be just add a custom servlet filter that inspects the Session's
> Subject, and fixes it up as needed. Might want to add it after the
> IdPSessionFilter so that you can then just access the Session as a
> request attribute.
>
Well, what I've found at the moment after reverting my change for the single
Principal in AuthenticationEngine is that while it now has 2 Principals at
that point of execution, it only has a single when it reaches the data
resolver I wrote. That part I have not tracked down yet. In walking through
the debug output and following the execution, I can't seem to find where it
touches the Principals set again.
thanks,
Paul
- [Shib-Dev] Principals in Session, Paul Hethmon, 11/24/2010
- [Shib-Dev] RE: Principals in Session, Peter Williams, 11/25/2010
- Re: [Shib-Dev] Principals in Session, Brent Putman, 11/30/2010
- Re: [Shib-Dev] Principals in Session, Paul Hethmon, 11/30/2010
- Re: [Shib-Dev] Principals in Session, Brent Putman, 11/30/2010
- Re: [Shib-Dev] Principals in Session, Paul Hethmon, 11/30/2010
- Re: [Shib-Dev] Principals in Session, Paul Hethmon, 11/30/2010
- Re: [Shib-Dev] Principals in Session, Paul Hethmon, 11/30/2010
- Re: [Shib-Dev] Principals in Session, Brent Putman, 11/30/2010
- Re: [Shib-Dev] Principals in Session, Paul Hethmon, 11/30/2010
Archive powered by MHonArc 2.6.16.