MemCached StoragesService Compatibility

Esmeralda Câmara epires at fccn.pt
Mon Jan 16 11:38:53 GMT 2012 

Hi Manuel

I still did not get the time to change the code as you described, and 
I’m getting out of time because I have to migrate the IdP to production 
with the x509 login handler.

But I agree with Douglas, it is a better approach to change this on the 
Memcache Storage service.

As soon I have time I can try to change the code as you described, and I 
will give you feedback. If in the meanwhile you made any changes on the 
Memcached Storage Service I will be willing to test it and give feedback.

Thank you once again for you time and help
Regards
Esmeralda

On 11-01-2012 16:56, Douglas E. Engert wrote:
>
> On 1/11/2012 10:31 AM, Manuel Haim wrote:
>> Hi Esmeralda,
>>
>> reading your $subject.toString() call, I think I now have found the
>> problem and a possible solution...
>>
>> In X509LoginServlet.java, a javax.security.auth.x500.X500Principal is
>> added to the Subject by this line:
>>
>> principals.add(cert.getSubjectX500Principal());
>>
>> Though I said the X500Principal was serializable, it turns out that the
>> contained X500Name is marked transient and thus will not be stored
>> within Memcache (see [1]). Thus, your $subject.toString() fails or
>> returns an empty string when using Memcached.
>>
>> To work around this issue, you would need to write a wrapper class (e.g.
>> MyX500Principal) which will store the principal name. Then modify
>> X509LoginServlet.java and replace the
>> principals.add(cert.getSubjectX500Principal()); line by something like:
>>
>> principals.add(new
>> MyX500Principal(cert.getSubjectX500Principal().getName()));
>>
>> Also remember to edit the x500Principal attribute definition in your
>> attribute-resolver.xml (replace X500Principal("").getClass() with
>> something like myPackage.MyX500Principal("").getClass() ).
>>
>> (the same may apply for a Kerberos login handler and
>> javax.security.auth.kerberos.KerberosPrincipal, as there is also
>> transient data within)
>>
>> A different approach would be to modify the Memcached StorageService and
>> provide a way to store the transient data in an extra field. (This is
>> already done with the publicCredentials, if
>> retainSubjectsPublicCredentials in your web.xml is set to true.) I may
>> have a look at this in a few weeks (being out of office just now).
> If this would solve the problem, this looks like a better approce then
> to having to change the other two packages. We are using both, but have
> not tried the memcache yet.
>
>> -Manuel
>>
>>
>> [1] X500Principal.java
>> http://javasourcecode.org/html/open-source/jdk/jdk-5.0/javax/security/auth/x500/X500Principal.java.html
>>
>> --
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>>
>>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1910 bytes
Desc: S/MIME Cryptographic Signature
Url : http://shibboleth.net/pipermail/users/attachments/20120116/8f57c3c7/attachment.bin

More information about the users mailing list