JAAS Login Module and User Principal best practices

mrforms Dec 19, 2005 11:59 AM

Hi All,

I just got into a new company. They have developped their own Authentication provider as a JAAS Login Module which is ok. They authenticate through different means.

When they are done authenticating the user through the login method of the LoginModule, they populate the Subject with different Principals in the commit method. One of the principal has a specific field which is a business unit number that will identify a user as being part of a a company A, B or C. For example, user BOB could be in the business unit number A and user TIM could be part of the business unit member B.

My question is, should this kind of information be part of a Principal class/object ? I was under the impression that these kind of information should be part of credentials in the Subject ? Is what they did correct ? One of the reason I see why they did that at the time was to avoid passing an extra parameter to the Session bean facade methods and instead fetch the business numer from the principal using the session bean's context instead.

Any comment on this subject would be greatly appreciated. Continue with the good work guys.

1. Re: JAAS Login Module and User Principal best practices

starksm64 Dec 21, 2005 11:04 AM (in response to mrforms)

The Subject is the more general representation of the authenticated user, but different j2ee layers use different representations. There is no guarentee that you can control the prinipcal available from the ejb/web tiers. You do have more control over the Subject, but really authentication is not standardized in terms of how you do this either. Whatever works currently is the bottom line. When jsr196 is included this should be standardized.
Actions