-
Feature Request
-
Resolution: Done
-
Minor
-
None
-
None
In the code base there is a SubjectAuthenticationService. The intention is, that the actor-id is set to the currently logged in JAAS-Subject. Unfortunately, this isn't implemented consequently.
In a current project we want to exchange the AuthenticationService, because we try to use Single-Sign-On Semantics in JBoss SOA Platform.
Currently there are 3 problems:
1.) There is no SubjectAuthenticationServiceFactory, so this AuthenticationService cannot be used
2.) subject.getPrincipals(principalClass) results in a list of Principals, containing groups as well. So by the current code, the actor isn't set correctly
3.) And this is the bigger SHOWSTOPPER: The AuthenticationService interface only defines the method "getActor". But at several places jbpmContext.setActorId is called (e.g. WebConsole PhaseListener, ESB BpmProcessor, ...). This results in an exception if the DefaultAuthenticationService is not used! This makes it impracticable to exchange the AuthenticationService.
So what to do at this front?
I see two possibilities:
a) Change the AuthenticationService interface to include a setActorId method. This can be ignored by implementations like the SubjectAuthenticationService (cannot and don't want to change the JAAS subject).
b) Change the JbpmContext to ignore setActorId depending on the AuthenticationService implementation.
The third possibility isn't really an option I think: Change all clients to NOT call the setActorId without any good reason.
I tend to option (a). What I could imagine is, that the actorId is queries from JAAS if null, but can be overwritten with setActorId and then remembered locally. Please refer to the forum for discussion....