Changeset 2977

Timestamp:

Nov 29, 2006, 2:50:51 PM (16 years ago)

Author:

Nicklas Nordborg

Message:

Fixes #138: Write documentation: 5c) Authentication plug-ins

Location:

trunk/doc

Files:

• admin/base.config.html (modified) (4 diffs)
• development/plugins/authentication/index.html (modified) (2 diffs)

trunk/doc/admin/base.config.html

@@ -27 +27 @@
 <html>
   <head>
-    <title>BASE 2.0 - Administrator documentation: base.config reference</title>
+    <title>BASE 2 - Administrator documentation: base.config reference</title>
   <link rel=stylesheet type="text/css" href="../styles.css">
   </head>
@@ -33 +33 @@
 
 <div class="navigation">
-  <a href="../index.html">BASE</a>
+  <a href="../index.html">BASE 2</a>
   <img src="../next.gif">
   <a href="index.html">Administrator documentation</a>
@@ -40 +40 @@
 </div>
 
-<h1>BASE 2.0 - Administrator documentation: base.config reference</h1>
+<h1>BASE 2 - Administrator documentation: base.config reference</h1>
 
 <div class="abstract">
@@ -187 +187 @@
   </dl>
 
-  <a name="secondary"></a>
+  <a name="authentication"></a>
   <h2>2. Authentication section</h2>
 
-  TODO
-
+  <p>
+    Settings related to external authentication. For more information
+    see: <a href="../development/plugins/authentication/index.html"
+      >Development information - Plugins for user authentication</a>
+  </p>
+  
+  <dl>
+  <dt class="method">auth.driver</dt>
+  <dd>
+    The class name of the plugin that acts as the authentication driver. BASE ships 
+    with a simple plugin that checks if a user has a valid email account on a POP3
+    server. It is not enabled by default. The class name of that plugin is
+    <code>net.sf.basedb.core.authentication.POP3Authenticator</code>. If no class
+    is specified internal authentication is used.
+  </dd>
+  
+  <dt class="method">auth.init</dt>
+  <dd>
+    Initialisation paramters sent to the plugin by calling the
+    <code>init()</code> method. The syntax and meaning of this string
+    depends on the plugin. For the <code>POP3Authenticator</code> this is simply
+    the IP-address of the mail server.
+  </dd>
+  
+  <dt class="method">auth.synchronize</dt>
+  <dd>
+    If this setting is 1 or TRUE the BASE core will synchronize the extra
+    information (name, address, email, etc.) sent by the authentication driver
+    when a user logs in to BASE. This setting is ignored if the driver doesn't 
+    support extra information. The <code>POP3Authenticator</code> returns FALSE.
+  </dd>
+  
+  <dt class="method">auth.cachepasswords</dt>
+  <dd>
+    If passwords should be cached by BASE or not. If the passwords are cached a user
+    may login to BASE even if the external authentication server is down.
+  </dd>
+  
+  <dt class="method">auth.daystocache</dt>
+  <dd>
+    How many days a cached password is valid if that is enabled. A value of 0 
+    caches the passwords for ever.
+  </dd>
+  
+  </dl>
+  
   <a name="jobqueue"></a>
   <h2>3. Internal job queue section</h2>

trunk/doc/development/plugins/authentication/index.html

@@ -43 +43 @@
   <div class="abstract">
   
-    TODO
-  
+    <p>
+    This document desribes how to create a plugin that uses an 
+    external solution to authenticte users.
+    </p>
     <p>
     <b>Contents</b>
     </p>
     <ol>
-      <li>
-
+      <li><a href="#overview">Internal vs. external authentication</a></li>
+      <li><a href="#authenticator">The Authenticator interface</a></li>
+      <li><a href="#config">Configuration settings</a></li>
     </ol>
     <p>
     <b>See also</b>
     <ul>
-    <li>
+    <li><a href="../../../admin/base.config.html#authentication">base.config reference:
+      Authentication section</a>
+    <li><a href="../../../api/net/sf/basedb/core/authentication/package-summary.html"
+      >Javadoc for the authentication package</a>
     </ul>
     </p>
@@ -63 +69 @@
     </p>
   </div>
+  
+  <a name="overview"></a>
+  <h2>1. Internal vs. external authentication</h2>
+  <p>
+    BASE can authenticate users in two ways. Either it uses the internal authentiction
+    or the external authentication. With internal authentication BASE stores logins and 
+    passwords in it's own database. With external authentication this is handled by
+    some external application. Even with external authentication it is possible to
+    let BASE cache the logins/passwords. This makes it possible to login to BASE if
+    the external authentication server is down.
+  </p>
+  
+  <p>
+    An external authentication server can only be used to grant or deny a user
+    access to BASE. It can't be used to give a user permissions inside BASE.
+  </p>
+  
+  <p>
+    The external authentication service is only used when a user logs in.
+    Now, one of several things can happen:
+  </p>
+  
+  <ul>
+  <li>
+    The login is correct and the user already exists in BASE. If the driver
+    supports extra information and <code>auth.synchronize</code> is set the
+    extra information is copied to the BASE server.
+  </li>
+  
+  <li>
+    The login is correct, but the user doesn't exists in BASE. A new user
+    account is created. If the driver supports extra information it is copied
+    to the BASE server (event if the <code>auth.synchronize</code> isn't set).
+    The new user account will get the default quota and be added to the 
+    <code>Users</code> role. In the future it may be possible that this is
+    configurable.
+  </li>
+  
+  <li>
+    The ROOT user is logging in. Internal authentication is always used for
+    the root user.
+  </li>
+  
+  <li>
+    If password caching is enabled, the password is copied to BASE. If an
+    expiration timeout has been set, the user will get an expiration date
+    set.
+  </li>
+  
+  <li>
+    The authentication server says that the login is invalid or the password
+    is incorrect. The user will not be logged in. If a user account with the
+    specified login already exists in BASE, it will be disabled.
+  </li>
+  
+  <li>
+    The authentication driver says that something else is wrong. If password
+    caching is enabled, internal authentication will be used. Otherwise 
+    the user will not be logged in. An already existing account is not modified
+    or disabled.
+  </li>
+  </ul>
+
+  <a name="overview"></a>
+  <h2>2. The Authenticator interface</h2>
+  <p>
+    To be able to use external authentication you must have a class that implements
+    the <code><a href="../../../api/net/sf/basedb/core/authentication/Authenticator.html"
+    >Authenticator</a></code> interface. In your <code>base.config</code> file you 
+    specify the class name in the <code>auth.driver</code> setting and it's
+    initialisation parameters in the <code>auth.init</code> setting.
+  </p>
+  
+  <p>
+    Your class must have a public no-argument constructor. The BASE application will 
+    create only one instance of the class for lifetime of the BASE server. It must be 
+    thread-safe since it may be invoked by multiple threads at the same time.
+    Here are the methods that you must implement:
+  </p>
+  
+  <dl>
+  <dt class="method">public void init(String settings);</dt>
+  <dd>
+    This method is called just after the object has been created with
+    it's argument taken from the <code>secondary.storage.driverauth.init</code>
+    setting in your <code>base.config</code> file. This method is only
+    called once for an object. The syntax and meaning of the parameter
+    is driver-dependent. It is irrelevant for the BASE core.  
+  </dd>
+  
+  <dt class="method">public boolean supportsExtraInformation();</dt>  
+  <dd>
+    This method should simply return TRUE or FALSE depending on if
+    the authentication driver supports extra user information or not.
+    The only required information about a user is a unique ID and the
+    login. Extra information includes name, address, phone, email, etc.
+  </dd>
+
+  <dt class="method">public AuthenticationInformation authenticate(String login,
+    String password)</dt>
+  <dd>
+    Try to authenticate a login/password combination. The driver should 
+    return an <code>AuthenticationInformation</code> object if the authentication
+    is successful or throw an exception if not. Exceptions:
+    <ul>
+    <li><code>UnknownLoginException</code>: This exception should be thrown
+      if the login is not know to the external authentication system</li>
+    <li><code>InvalidPasswordException</code>: This exception should be thrown
+      if the login is know but the password is invalid. In case it is
+      considered a security issue to reveal that a login exists, 
+      the plugin may throw an <code>UnknowLoginException</code> instead.</li>
+    <li><code>AuthenticationException</code>: In case there is another problem,
+      such as the authentication service beeing down. This exception is the only
+      one that triggers the use of cached passwords.</li>
+    </ul>
+  </dd>
+  </dl>
+
+  <a name="config"></a>
+  <h2>3. Configuration settings</h2>
+  
+  <p>
+    The configuration settings for the authentication driver is
+    located in the <code>base.config</code> file. Here is an overview of
+    the settings. For more information read the 
+    <a href="../../../admin/base.config.html#authentication">base.config reference</a>
+  </p>
+  
+  <dl>
+  <dt>auth.driver</dt>
+  <dd>
+    The class name of the authentication plugin.
+  </dd>
+
+  <dt>auth.init</dt>
+  <dd>
+    Initialisation paramters sent to the plugin by calling the
+    <code>init()</code> method.
+  </dd>
+  
+  <dt>auth.synchronize</dt>
+  <dd>
+    If extra user information is synchronized at login time or not. 
+    This setting is ignored if the driver doesn't support extra information.
+  </dd>
+  
+  <dt>auth.cachepasswords</dt>
+  <dd>
+    If passwords should be cached by BASE or not. If the passwords are cached a user
+    may login to BASE even if the external authentication server is down.
+  </dd>
+  
+  <dt>auth.daystocache</dt>
+  <dd>
+    How many days to cache the passwords if that is enabled. A value of 0 
+    caches the passwords for ever.
+  </dd>
+  
+  </dl>
 
 </body>