[cas-dev] is the actual AuthenticationManagerImpl sufficient?
Velpi
velpi at industria.be
Thu Jun 22 11:09:31 EDT 2006
> In a way, what I say is 'credentialsResolver X and MetadataPopulator X
> should be called if AuthenticationHandler X succeeds', when you say
> something more general: 'credentialsResolver Y and MetadataPopulator Z
> should be called if AuthenticationHandler X succeeds'. IMHO, no need to
> associate credential resolvers and metadata populators to authentication
> handlers, since the authentication handler itself is the (only) actor
> that knows how to resolve the credentials and populate metadata.
> Do you see cases where it would not be the case?
I currently have a use case where the authentication is actually done by the
resolver (a lookup in a user repository). It's still possible in this model
since it still needs an "initial" authentication. (worst case you can just use a
dummy authentication handler)
But to support his use case the AuthManagerImpl should not forget about the fact
that a resolver might block the login process too.
eg: x509:
auth: certificate is valid and trusted
resolver: user is allowed to identify itself using this certificate when he/she
can be resolved [can be used while filtering a certain attribute] (this actually
maps the certificate to his/him )
--Velpi
More information about the cas-dev
mailing list