MemCached StoragesService Compatibility
epires at fccn.pt
Mon Jan 16 11:38:53 GMT 2012
I still did not get the time to change the code as you described, and
I’m getting out of time because I have to migrate the IdP to production
with the x509 login handler.
But I agree with Douglas, it is a better approach to change this on the
Memcache Storage service.
As soon I have time I can try to change the code as you described, and I
will give you feedback. If in the meanwhile you made any changes on the
Memcached Storage Service I will be willing to test it and give feedback.
Thank you once again for you time and help
On 11-01-2012 16:56, Douglas E. Engert wrote:
> On 1/11/2012 10:31 AM, Manuel Haim wrote:
>> Hi Esmeralda,
>> reading your $subject.toString() call, I think I now have found the
>> problem and a possible solution...
>> In X509LoginServlet.java, a javax.security.auth.x500.X500Principal is
>> added to the Subject by this line:
>> Though I said the X500Principal was serializable, it turns out that the
>> contained X500Name is marked transient and thus will not be stored
>> within Memcache (see ). Thus, your $subject.toString() fails or
>> returns an empty string when using Memcached.
>> To work around this issue, you would need to write a wrapper class (e.g.
>> MyX500Principal) which will store the principal name. Then modify
>> X509LoginServlet.java and replace the
>> principals.add(cert.getSubjectX500Principal()); line by something like:
>> Also remember to edit the x500Principal attribute definition in your
>> attribute-resolver.xml (replace X500Principal("").getClass() with
>> something like myPackage.MyX500Principal("").getClass() ).
>> (the same may apply for a Kerberos login handler and
>> javax.security.auth.kerberos.KerberosPrincipal, as there is also
>> transient data within)
>> A different approach would be to modify the Memcached StorageService and
>> provide a way to store the transient data in an extra field. (This is
>> already done with the publicCredentials, if
>> retainSubjectsPublicCredentials in your web.xml is set to true.) I may
>> have a look at this in a few weeks (being out of office just now).
> If this would solve the problem, this looks like a better approce then
> to having to change the other two packages. We are using both, but have
> not tried the memcache yet.
>>  X500Principal.java
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1910 bytes
Desc: S/MIME Cryptographic Signature
Url : http://shibboleth.net/pipermail/users/attachments/20120116/8f57c3c7/attachment.bin
More information about the users