MemCached StoragesService Compatibility
Douglas E. Engert
deengert at anl.gov
Wed Jan 11 16:56:08 GMT 2012
On 1/11/2012 10:31 AM, Manuel Haim wrote:
> Hi Esmeralda,
> reading your $subject.toString() call, I think I now have found the
> problem and a possible solution...
> In X509LoginServlet.java, a javax.security.auth.x500.X500Principal is
> added to the Subject by this line:
> Though I said the X500Principal was serializable, it turns out that the
> contained X500Name is marked transient and thus will not be stored
> within Memcache (see ). Thus, your $subject.toString() fails or
> returns an empty string when using Memcached.
> To work around this issue, you would need to write a wrapper class (e.g.
> MyX500Principal) which will store the principal name. Then modify
> X509LoginServlet.java and replace the
> principals.add(cert.getSubjectX500Principal()); line by something like:
> Also remember to edit the x500Principal attribute definition in your
> attribute-resolver.xml (replace X500Principal("").getClass() with
> something like myPackage.MyX500Principal("").getClass() ).
> (the same may apply for a Kerberos login handler and
> javax.security.auth.kerberos.KerberosPrincipal, as there is also
> transient data within)
> A different approach would be to modify the Memcached StorageService and
> provide a way to store the transient data in an extra field. (This is
> already done with the publicCredentials, if
> retainSubjectsPublicCredentials in your web.xml is set to true.) I may
> have a look at this in a few weeks (being out of office just now).
If this would solve the problem, this looks like a better approce then
to having to change the other two packages. We are using both, but have
not tried the memcache yet.
>  X500Principal.java
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the users