[Pki-devel] [PATCH] pki-cfu-0058-Ticket-1160-audit-logging-needed-REST-API-auth-authz.patch
Endi Sukma Dewata
edewata at redhat.com
Tue May 12 20:42:10 UTC 2015
On 5/12/2015 1:01 PM, Christina Fu wrote:
> Attached please find the update.
> Two things to note:
> 1. for comment #2, as discussed over irc, I put the auth manager id in
> the authToken instead. Turns out the session contaxt has the whole
> authToken in it, so there is no need to put it in separately in the
> session context.
> 2. for comment #3, the difference between the password based and cert
> based auth is that by the time it gets here, cert based auth already
> passed the ssl auth, so we know exactly who the subject is, and what
> remains is just a matter of mapping it to the right user in the
> internaldb. Unlike cert based auth, the password based auth could be
> anyone attempted to be the uid provided in the auth, so the "attempted"
> is more useful in capturing the attempt.
> I changed it so that for cert based auth now has "attemptedUID" to be
> the same as that of the subjectid, and I added comment to explain that.
> The two auth methods are going to be different, and for a good reason.
>
> I addressed the rest of the comments as requested.
>
> thanks,
> Christina
There is one more mSignedAuditLogger in PKIRealm. Other than that it's
ACKed.
--
Endi S. Dewata
More information about the Pki-devel
mailing list