| A subject is used a container for passing the security context
information in the service context field. The security context
information in the subject must be stored either as a private or
a public credential according to the following convention:
PasswordCredential:
Client authentication will be performed using the username
and password in the PasswordCredential. PasswordCredential
must be passed as a PrivateCredential.
X500Name:
DN name specified in X500Name will be asserted. X500Name must
be passed as a PublicCredential.
GSSUPName:
Identity specified in GSSUPName will be asserted. GSSUPName must
be passed as a PublicCredential.
X509CertificateCredential:
The certificate chain in the credential will be asserted. The
credential must be passed as a PublicCredential.
AnonCredential:
Anonymous identity will be asserted. Credential must be passed
as a PublicCredential.
Class fields in the SecurityContext are used for credential selection.
There are two class fields: authcls and identcls.
authcls is a Class object that identifies the credential for
client authentication.
identcls is a Class object that identifies the credential for
identity assertion.
The following semantics must be observed:
1. A client authentication token is always passed as a private
credential. authcls set to the class of the authentication token
2. An identity token is always passed as a public credential.
identcls is set to the class of the identity token.
3. authcls is set to null if there is no client auth token
4. identcls is set to null if there is no ident token
5. There must not be more than one instance of class identified
by authcls or identcls. However, there can be one instance of
identcls *and* authcls (this allows both a client auth token
and an identity token to be passed across the interface). |
