MemCached StoragesService Compatibility
Manuel Haim
haim at hrz.uni-marburg.de
Wed Jan 11 16:31:27 GMT 2012
Hi Esmeralda,
reading your $subject.toString() call, I think I now have found the
problem and a possible solution...
In X509LoginServlet.java, a javax.security.auth.x500.X500Principal is
added to the Subject by this line:
principals.add(cert.getSubjectX500Principal());
Though I said the X500Principal was serializable, it turns out that the
contained X500Name is marked transient and thus will not be stored
within Memcache (see [1]). Thus, your $subject.toString() fails or
returns an empty string when using Memcached.
To work around this issue, you would need to write a wrapper class (e.g.
MyX500Principal) which will store the principal name. Then modify
X509LoginServlet.java and replace the
principals.add(cert.getSubjectX500Principal()); line by something like:
principals.add(new
MyX500Principal(cert.getSubjectX500Principal().getName()));
Also remember to edit the x500Principal attribute definition in your
attribute-resolver.xml (replace X500Principal("").getClass() with
something like myPackage.MyX500Principal("").getClass() ).
(the same may apply for a Kerberos login handler and
javax.security.auth.kerberos.KerberosPrincipal, as there is also
transient data within)
A different approach would be to modify the Memcached StorageService and
provide a way to store the transient data in an extra field. (This is
already done with the publicCredentials, if
retainSubjectsPublicCredentials in your web.xml is set to true.) I may
have a look at this in a few weeks (being out of office just now).
-Manuel
[1] X500Principal.java
http://javasourcecode.org/html/open-source/jdk/jdk-5.0/javax/security/auth/x500/X500Principal.java.html
More information about the users
mailing list