On 03/09/2012 10:19 PM, John Magne wrote: Sorry I missed this. This is really cool. Would you say that this is a complete solution for the Authentication piece (Modulo maybe extending the ACIs) or is there more work to be done. Am I correct in understanding that this uses ACIs for Authorization?

Most of the acls support group membership as part of their contraints. For this we make use of the inherited JNDI support to check to see if the user has the given role/group membership. Also, the code calls the base class method for authorization. Thus if the web.xml was configured with static roles and auth constraints, those checks would be done as well. ----- Original Message ----- From: "Adam Young" <ayoung(a)redhat.com&gt; To: pki-devel(a)redhat.com Sent: Wednesday, March 14, 2012 6:47:46 PM Subject: Re: [Pki-devel] 0001-Provide-Custom-PKI-JNDI-Realm.patch So while this is perfect for working with both PKI, and FreeIPA, for most of the JNDI/LDAP world, authorization consists of membership in groups. I believe the is how the original JNDI plugin works. When we extract this into its own RPM, we should keep that in mind, and allow the configuration to specify which way it is going to be used. _______________________________________________ Pki-devel mailing list Pki-devel(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-devel