MemCached StoragesService Compatibility

Douglas E. Engert deengert at anl.gov
Wed Jan 11 16:56:08 GMT 2012 


On 1/11/2012 10:31 AM, Manuel Haim wrote:
> Hi Esmeralda,
>
> reading your $subject.toString() call, I think I now have found the
> problem and a possible solution...
>
> In X509LoginServlet.java, a javax.security.auth.x500.X500Principal is
> added to the Subject by this line:
>
> principals.add(cert.getSubjectX500Principal());
>
> Though I said the X500Principal was serializable, it turns out that the
> contained X500Name is marked transient and thus will not be stored
> within Memcache (see [1]). Thus, your $subject.toString() fails or
> returns an empty string when using Memcached.
>
> To work around this issue, you would need to write a wrapper class (e.g.
> MyX500Principal) which will store the principal name. Then modify
> X509LoginServlet.java and replace the
> principals.add(cert.getSubjectX500Principal()); line by something like:
>
> principals.add(new
> MyX500Principal(cert.getSubjectX500Principal().getName()));
>
> Also remember to edit the x500Principal attribute definition in your
> attribute-resolver.xml (replace X500Principal("").getClass() with
> something like myPackage.MyX500Principal("").getClass() ).
>
> (the same may apply for a Kerberos login handler and
> javax.security.auth.kerberos.KerberosPrincipal, as there is also
> transient data within)
>
> A different approach would be to modify the Memcached StorageService and
> provide a way to store the transient data in an extra field. (This is
> already done with the publicCredentials, if
> retainSubjectsPublicCredentials in your web.xml is set to true.) I may
> have a look at this in a few weeks (being out of office just now).

If this would solve the problem, this looks like a better approce then
to having to change the other two packages. We are using both, but have
not tried the memcache yet.

>
> -Manuel
>
>
> [1] X500Principal.java
> http://javasourcecode.org/html/open-source/jdk/jdk-5.0/javax/security/auth/x500/X500Principal.java.html
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the users mailing list