There are three attribution methods that an attribution provider should implement: attributeAuthenticatedSubject(), attributeSubject(), and attributeResource().
After authentication, the method attributeAuthenticatedSubject() is called to further elaborate on a subject’s attributes. Because authentication is done by combining JAAS LoginModules and the results of this authentication process are simply a set of principals and credentials, there is more required after authentication to provide additional information about a user. Immediately following authentication, the CSI architecture reviews the authenticated subject’s principals and initializes the ID and NAME attributes of the SecSubject object as described in Authentication.
Any attributes other than these must be provided by the attributeAuthenticatedSubject() method, which takes two arguments. The first argument is the context map. The second argument is the SecSubject object that needs to have attributes defined on it. The attribution provider should use information contained in this object to add more attributes to the subject object.
For example, an LDAP authentication module adds an LDAPDNPrincipal principal to the subject’s principal set. A companion LDAP attribution provider may contain the attributeAuthenticatedSubject() implemented to look for the custom LDAPDNPrincipal object in the principal set. It then uses the DN stored in the principal to connect to the LDAP server and retrieve extended attributes about the user represented by the principal. The specifics of the attributes are undefined in the context of CSI – each attribution provider defines its own sets of attributes. The only subject attributes which are used in Sybase Unwired Platform are ID and NAME attributes. Others are ignored.
While the most common way to retrieve a SecSubject instance is through an authenticated security context’s getSubject() method, there is also a way to retrieve an unauthenticated subject using the context’s getSubject(String id) method. It is through this method that the attribution provider’s attributeSubject() method is called. This method is similar to the attributeAuthenticatedSubject() method, except the method is supplied with a single identifier in a third argument that is to be used as the subject identifier. If an attribution provider can recognize and attribute a subject with the given identifier, it should return "true" when complete. This indicates to CSI that the attribution provider recognized a user with the specified identity, and that it should pass an unauthenticated SecSubject instance back to the CSI client.
The third attribution method, attributeResource() is used in a manner similar to attributeSubject(). The security context’s getResource() method delegates to each of the configured attribution providers, and if one or more signals that it recognized and attributed the provider, a SecResource implementation is returned to the client. One difference is that in addition to attributes, this method should populate the resource type lists for the SecResource object.