MemCached StoragesService Compatibility

Esmeralda Câmara epires at
Mon Jan 16 11:38:53 GMT 2012

Hi Manuel

I still did not get the time to change the code as you described, and 
I’m getting out of time because I have to migrate the IdP to production 
with the x509 login handler.

But I agree with Douglas, it is a better approach to change this on the 
Memcache Storage service.

As soon I have time I can try to change the code as you described, and I 
will give you feedback. If in the meanwhile you made any changes on the 
Memcached Storage Service I will be willing to test it and give feedback.

Thank you once again for you time and help

On 11-01-2012 16:56, Douglas E. Engert wrote:
> On 1/11/2012 10:31 AM, Manuel Haim wrote:
>> Hi Esmeralda,
>> reading your $subject.toString() call, I think I now have found the
>> problem and a possible solution...
>> In, a is
>> added to the Subject by this line:
>> principals.add(cert.getSubjectX500Principal());
>> Though I said the X500Principal was serializable, it turns out that the
>> contained X500Name is marked transient and thus will not be stored
>> within Memcache (see [1]). Thus, your $subject.toString() fails or
>> returns an empty string when using Memcached.
>> To work around this issue, you would need to write a wrapper class (e.g.
>> MyX500Principal) which will store the principal name. Then modify
>> and replace the
>> principals.add(cert.getSubjectX500Principal()); line by something like:
>> principals.add(new
>> MyX500Principal(cert.getSubjectX500Principal().getName()));
>> Also remember to edit the x500Principal attribute definition in your
>> attribute-resolver.xml (replace X500Principal("").getClass() with
>> something like myPackage.MyX500Principal("").getClass() ).
>> (the same may apply for a Kerberos login handler and
>>, as there is also
>> transient data within)
>> A different approach would be to modify the Memcached StorageService and
>> provide a way to store the transient data in an extra field. (This is
>> already done with the publicCredentials, if
>> retainSubjectsPublicCredentials in your web.xml is set to true.) I may
>> have a look at this in a few weeks (being out of office just now).
> If this would solve the problem, this looks like a better approce then
> to having to change the other two packages. We are using both, but have
> not tried the memcache yet.
>> -Manuel
>> [1]
>> --
>> To unsubscribe from this list send an email to users-unsubscribe at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1910 bytes
Desc: S/MIME Cryptographic Signature
Url : 

More information about the users mailing list