Context Navigation

← Previous Changeset
Next Changeset →

Changeset 6429

Timestamp:

Mar 10, 2014, 9:24:52 AM (9 years ago)

Author:

Nicklas Nordborg

Message:

References #1599: Convert authentication plug-in system to an extension point

Updated documentation.

Location:

trunk

Files:

: 5 edited

doc/src/docbook/appendix/base.config.xml (modified) (2 diffs)
doc/src/docbook/appendix/incompatible.xml (modified) (1 diff)
doc/src/docbook/developer/extensions.xml (modified) (1 diff)
doc/src/docbook/developer/plugins.xml (modified) (1 diff)
src/core/net/sf/basedb/core/AuthenticationContext.java (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/doc/src/docbook/appendix/base.config.xml

-                      r6080
+                      r6429
       going to use external authentication. If you let BASE handle this
       you will not have to bother about these settings. See
       <xref linkend="plugin_developer.other.authentication"/> for more information about
+      <xref linkend="extensions_developer.login-manager"/> for more information about
       external authentication.
     </para>
 …
     <variablelist>
     <varlistentry>
-      <term><property>auth.driver</property></term>
-      <listitem>
-        <para>
-        The class name of the plug-in that acts as the authentication driver.
-        BASE ships with a simple plug-in that checks if a user has a valid email
-        account on a POP3 server. It is not enabled by default. The class name
-        of that plug-in is <classname docapi="net.sf.basedb.core.authentication">net.sf.basedb.core.authentication.POP3Authenticator</classname>.
-        If no class is specified internal authentication is used.
-          </para>
-      </listitem>
-    </varlistentry>
-    <varlistentry>
-      <term><property>auth.jarpath</property></term>
-      <listitem>
-        <para>
-        The path to the JAR file containing the class specified by the
-        <property>auth.driver</property> setting. If empty, it is assumed that
-        class is on the class-path. Eg. in the <filename>WEB-INF/lib</filename>
-        directory.
-          </para>
-      </listitem>
-    </varlistentry>
-    <varlistentry>
-      <term><property>auth.init</property></term>
-      <listitem>
-        <para>
-        Initialisation parameters sent to the plug-in when calling the
-        <methodname>init()</methodname> method. The syntax and meaning of this
-        string depends on the plug-in. For the <classname docapi="net.sf.basedb.core.authentication">POP3Authenticator</classname>
-        this is simply the name or IP-address of the mail server.
-          </para>
-      </listitem>
-    </varlistentry>
-    <varlistentry>
       <term><property>auth.synchronize</property></term>
       <listitem>
         <para>
         If this setting is 1 or TRUE, BASE will synchronize the extra
         information (name, address, email, etc.) sent by the authentication driver
         when a user logs in to BASE. This setting is ignored if the driver does not
         support extra information.
+        information (name, address, email, etc.) sent by the authentication manager
+        when a user logs in to BASE. This setting is ignored if the manager does not
+        provide extra information.
           </para>
       </listitem>

trunk/doc/src/docbook/appendix/incompatible.xml

-                      r6410
+                      r6429
       allowed in property names.
     </para>
+    <bridgehead>External authentication has been converted to an extension point</bridgehead>
+    <para>
+      External authentication plug-ins using the old system are supported through a
+      wrapper extension, but the recommendation is to update those plug-in to the
+      new system. See <xref linkend="extensions_developer.login-manager" /> for more information.
+    </para>
   </sect1>

trunk/doc/src/docbook/developer/extensions.xml

-                      r6417
+                      r6429
     </sect2>
+    <sect2 id="extensions_developer.login-manager">
+      <title>Login manager</title>
+      <para>
+        This extension point makes it possible to authenticate users by some other means than
+        the regular internal username+password authentication. Authentication managers should
+        implement the <classname docapi="net.sf.basedb.core.authentication">AuthenticationManager</classname>
+        action interface. This interface is simple and contain only one parameter-less method
+        <methodname>authenticate()</methodname>. There are three outcomes:
+      </para>
+      <itemizedlist>
+        <listitem>
+          <para>A <classname docapi="net.sf.basedb.core.authentication">AuthenticatedUser</classname>
+          is returned with information about a user that has passed authentication.
+          </para>
+        </listitem>
+        <listitem>
+          <para>A <constant>null</constant> value is returned to indicate that the manager could
+          not determine if the login credentials are valid or not. The BASE core may try another
+          authentication manager or use internal authentication.
+          </para>
+        </listitem>
+        <listitem>
+          <para>An exception is thrown to indicate that the manager has determined that
+          the login credentials are invalid.
+          </para>
+        </listitem>
+      </itemizedlist>
+      <para>
+        Since the action interface doesn't contain any parameters that contain information about the
+        login request, the implementation need to get this from the <classname
+        docapi="net.sf.basedb.util.extensions">ClientContext</classname> that is passed to the
+        action factory. The <methodname>getCurrentItem()</methodname> item is a <classname
+        docapi="net.sf.basedb.core.authentication">LoginRequest</classname> containing the login and
+        password the user entered on the login page. The <classname>ClientContext</classname>
+        ojbect can be cast to <classname docapi="net.sf.basedb.core">AuthenticationContext</classname>
+        which provide some extra services to the authentication manager.
+      </para>
+      <sect3 id="extensions_developer.login-manager.internal-vs-external">
+        <title>Internal vs. external authentation</title>
+        <para>
+          All login requests (except ROOT) are always sent to registered authentication
+          managers first. Internal authentication is only used if no authentication
+          manager could validate the user. Even with external authentication it is possible to
+          let BASE cache the logins/passwords. This makes it possible to login to
+          BASE if the external authentication server is down.
+        </para>
+        <note>
+          <para>
+          An external authentication server can only be used to grant or deny
+          a user access to BASE. It cannot be used to give a user permissions,
+          or put a user into groups or different roles inside BASE.
+          </para>
+        </note>
+        <para>
+          The authentication process goes something like this:
+          <itemizedlist>
+          <listitem>
+            <para>
+              The ROOT user is logging on. Internal authentication is always
+              used for the root user and no authentication managers are used.
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              An external authentication manager determines that the login request
+              is valid and the user is already known to BASE.
+              If the extra information (name, email, phone, etc.) is supplied
+              and the <property>auth.synchronize</property> setting
+              is <constant>TRUE</constant> the extra information is copied to
+              the BASE server.
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              An external authentication manager determines that the login request
+              is valid, but the user is not known to BASE. This happens
+              the first time a user logs in. BASE will create
+              a new user account. If the authentication manager provides extra information, it
+              is copied to the BASE server (even if <property>auth.synchronize</property>
+              is not set). The new user account will get the default quota
+              and be added to the all roles and groups which has been
+              marked as <emphasis>default</emphasis>.
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              If password caching is enabled, the password is copied to BASE.
+              If an expiration timeout has been set, an expiration date
+              will be calculated and set on the user account. The expiration
+              date is only checked when the external authentication server is
+              down.
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              The external authentication manager says that the login is invalid or
+              the password is incorrect. The user will not be logged in.
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              The authentication manager says that something else is wrong.
+              If password caching is enabled, internal authentication will be
+              used. Otherwise the user will not be logged in.
+            </para>
+          </listitem>
+          </itemizedlist>
+        </para>
+      </sect3>
+      <sect3 id="pextensions_developer.login-manager.settings">
+        <title>Configuration settings</title>
+        <para>
+          The configuration settings for the authentication system are located
+          in the <filename>base.config</filename> file.
+          Here is an overview of the settings. For more information read
+          <xref linkend="appendix.base.config.authentication" />.
+        </para>
+        <variablelist>
+        <varlistentry>
+          <term><property>auth.synchronize</property></term>
+          <listitem>
+            <para>
+            If extra user information is synchronized at login time or not.
+            This setting is ignored if the driver does not support extra information.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><property>auth.cachepasswords</property></term>
+          <listitem>
+            <para>
+              If passwords should be cached by BASE or not. If the passwords are
+              cached a user may login to BASE even if the external authentication
+              server is down.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><property>auth.daystocache</property></term>
+          <listitem>
+            <para>
+              How many days to cache the passwords if caching has been enabled.
+              A value of 0 caches the passwords for ever.
+            </para>
+          </listitem>
+        </varlistentry>
+        </variablelist>
+      </sect3>
+    </sect2>
+    <sect2 id="extensions_developer.login-form">
+      <title>Login form</title>
+      <para>
+        This extension point is typically used in combination with a login manager to provide a
+        customized login form. Extensions should implement the <interfacename
+        docapi="net.sf.basedb.clients.web.extensions.login">LoginFormAction</interfacename>
+        action which is used to specify prompts, tooltips, help texts and styling information
+        for the login and password fields. The extension point supports custom scripts and stylesheets.
+      </para>
+      <note>
+        <title>Only the first registered extension is used</title>
+        <para>
+          Since there is only one login form, only the first registered extension is used even
+          if there are more extensions for this extension point.
+        </para>
+      </note>
+    </sect2>
   </sect1>

trunk/doc/src/docbook/developer/plugins.xml

-                      r6129
+                      r6429
       <title>Authentication plug-ins</title>
-      <important>
-        <title>This may be converted to an extension point in the future</title>
-        <para>
-        There are certain plans to convert the authentication mechanism to
-        an extension point in the future. There are several benefits with this:
-        </para>
-        <itemizedlist>
-          <listitem>
-            <para>
-            Easier installation since code doesn't have to be installed in the
-            WEB-INF/lib or WEB-INF/classes directory.
-            </para>
-          </listitem>
-          <listitem>
-            <para>
-            Allow support for multiple authentication modules. Users could either
-            select a specific module, or each module could be tried in turn or
-            some kind of auto-discovery can maybe be implemented.
-            </para>
-          </listitem>
-        </itemizedlist>
-        <para>
-          See <ulink url="http://base.thep.lu.se/ticket/1599">ticket #1599: Convert
-          authentication plug-in system to an extension point</ulink> for more
-          information.
-        </para>
-      </important>
       <para>
         BASE provides a plug-in mechanism for authenticating users
         (validating the username and password) when they are logging in.
         This plug-in mechanism is not the same as the regular plug-in API.
         That is, you do not have worry about user interaction or implementing the
         <interfacename docapi="net.sf.basedb.core.plugin">Plugin</interfacename> interface.
+        This style of plug-ins have been deprecated in BASE 3.3 and replaced by
+        an extension point. See <xref linkend="extensions_developer.login-manager" />
+        for more information. Backwards compatibility is supported via a wrapper
+        class that is automatically enabled if the <property>auth.driver</property>
+        property is set.
       </para>
-      <sect3 id="plugin_developer.other.authentication.internal_external">
-        <title>Internal vs. external authentation</title>
-        <para>
-          BASE can authenticate users in two ways. Either it uses the internal
-          authentication or the external authentication. With internal
-          authentication BASE stores logins and passwords in its own database.
-          With external authentication this is handled by some external
-          application. Even with external authentication it is possible to
-          let BASE cache the logins/passwords. This makes it possible to login to
-          BASE if the external authentication server is down.
-        </para>
-        <note>
-          <para>
-          An external authentication server can only be used to grant or deny
-          a user access to BASE. It cannot be used to give a user permissions,
-          or put a user into groups or different roles inside BASE.
-          </para>
-        </note>
-        <para>
-          The external authentication service is only used when a user logs in.
-          Now, one or more of several things can happen:
-          <itemizedlist>
-          <listitem>
-            <para>
-              The ROOT user is logging on. Internal authentication is always
-              used for the root user and the authenticator plug-in is never
-              used.
-            </para>
-          </listitem>
-          <listitem>
-            <para>
-              The login is correct and the user is already known to BASE.
-              If the plug-in supports extra information (name, email, phone, etc.)
-              and the <property>auth.synchronize</property> setting
-              is <constant>TRUE</constant> the extra information is copied to
-              the BASE server.
-            </para>
-          </listitem>
-          <listitem>
-            <para>
-              The login is correct, but the user is not known to BASE. This happens
-              the first time a user logs in. BASE will create
-              a new user account. If the driver supports extra information, it
-              is copied to the BASE server (even if <property>auth.synchronize</property>
-              is not set). The new user account will get the default quota
-              and be added to the all roles and groups which has been
-              marked as <emphasis>default</emphasis>.
-            </para>
-          </listitem>
-          <listitem>
-            <para>
-              If password caching is enabled, the password is copied to BASE.
-              If an expiration timeout has been set, an expiration date
-              will be calculated and set on the user account. The expiration
-              date is only checked when the external authentication server is
-              down.
-            </para>
-          </listitem>
-          <listitem>
-            <para>
-              The authentication server says that the login is invalid or
-              the password is incorrect. The user will not be logged in.
-              If a user account with the specified login already exists in
-              BASE, it will be disabled.
-            </para>
-          </listitem>
-          <listitem>
-            <para>
-              The authentication driver says that something else is wrong.
-              If password caching is enabled, internal authentication will be
-              used. Otherwise the user will not be logged in. An already
-              existing account is not modified or disabled.
-            </para>
-          </listitem>
-          </itemizedlist>
-        </para>
-      </sect3>
-      <sect3 id="plugin_developer.other.authentication.authenticator">
-        <title>The Authenticator interface</title>
-        <para>
-          To be able to use external authentication you must create a class
-          that implements the
-          <interfacename docapi="net.sf.basedb.core.authentication">net.sf.based.core.authentication.Authenticator</interfacename>
-          interface. Specify the name of the class in the <property>auth.driver</property>
-          setting in <filename>base.config</filename> and
-          its initialisation parameters in the <property>auth.init</property> setting.
-          The class can either be installed on Tomcat's class path (eg. <filename>WEB-INF/lib</filename>)
-          or on an external path. In the latter case the <property>auth.jarpath</property>
-          must be set in <filename>base.config</filename>.
-        </para>
-        <para>
-          Your class must have a public no-argument constructor. The BASE
-          application will create only one instance of the class for lifetime
-          of the BASE server. It must be thread-safe since it may be invoked by
-          multiple threads at the same time. Here are the methods that you must
-          implement
-        </para>
-        <variablelist>
-        <varlistentry>
-          <term>
-            <methodsynopsis language="java">
-              <modifier>public</modifier>
-              <void/>
-              <methodname>init</methodname>
-              <methodparam>
-                <type>String</type>
-                <parameter>settings</parameter>
-              </methodparam>
-              <exceptionname>AuthenticationException</exceptionname>
-            </methodsynopsis>
-          </term>
-          <listitem>
-            <para>
-            This method is called just after the object has been created with its argument
-            taken from the <property>auth.init</property> setting in your <filename>base.config</filename>
-            file. This method is only called once for an instance of the object. The syntax and meaning of
-            the parameter is driver-dependent and should be documented by the plug-in.
-            It is irrelevant for the BASE core.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term>
-            <methodsynopsis language="java">
-              <modifier>public</modifier>
-              <type>boolean</type>
-              <methodname>supportsExtraInformation</methodname>
-            </methodsynopsis>
-          </term>
-          <listitem>
-            <para>
-            This method should simply return <constant>TRUE</constant> or <constant>FALSE</constant>
-            depending on if the plug-in supports extra user information or not. The only required
-            information about a user is a unique ID and the login. Extra information includes
-            name, address, phone, email, etc.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term>
-            <methodsynopsis language="java">
-              <modifier>public</modifier>
-              <type>AuthenticationInformation</type>
-              <methodname>authenticate</methodname>
-              <methodparam>
-                <type>String</type>
-                <parameter>login</parameter>
-              </methodparam>
-              <methodparam>
-                <type>String</type>
-                <parameter>password</parameter>
-              </methodparam>
-              <exceptionname>UnknownLoginException</exceptionname>
-              <exceptionname>InvalidPasswordException</exceptionname>
-              <exceptionname>LoginException</exceptionname>
-              <exceptionname>AuthenticationException</exceptionname>
-            </methodsynopsis>
-          </term>
-          <listitem>
-            <para>
-            Try to authenticate a login/password combination. The plug-in should return
-            an <classname docapi="net.sf.basedb.core.authentication">AuthenticationInformation</classname> object if the
-            authentication is successful or throw an exception if not.
-            There are three exceptions to choose from:
-            <itemizedlist>
-            <listitem>
-              <para>
-              <exceptionname>UnknownLoginException</exceptionname>:
-              This exception should be thrown if the login is not known to the
-              external authentication system.
-              </para>
-            </listitem>
-            <listitem>
-              <para>
-              <exceptionname>InvalidPasswordException</exceptionname>:
-              This exception should be thrown if the login is known but the
-              password is invalid. In case it is considered a security issue
-              to reveal that a login exists, the plugin may throw an
-              <exceptionname>UnknowLoginException</exceptionname> or
-              <exceptionname>LoginException</exceptionname> instead.
-              </para>
-            </listitem>
-            <listitem>
-              <para>
-              <exceptionname>LoginException</exceptionname>:
-              This exception should be thrown if the login failed but it
-              is not known if the cause is an incorrect login or password.
-              The authenticator implementation must specify an error message
-              that is displayed to the user.
-              </para>
-            </listitem>
-            <listitem>
-              <para>
-              <exceptionname>AuthenticationException</exceptionname>:
-              In case there is another problem, such as the authentication service
-              being down. This exception triggers the use of cached passwords
-              if caching has been enabled.
-              </para>
-            </listitem>
-            </itemizedlist>
-            </para>
-          </listitem>
-        </varlistentry>
-        </variablelist>
-      </sect3>
-      <sect3 id="plugin_developer.other.authentication.settings">
-        <title>Configuration settings</title>
-        <para>
-          The configuration settings for the authentication driver are located
-          in the <filename>base.config</filename> file.
-          Here is an overview of the settings. For more information read
-          <xref linkend="appendix.base.config.authentication" />.
-        </para>
-        <variablelist>
-        <varlistentry>
-          <term><property>auth.driver</property></term>
-          <listitem>
-            <para>
-            The class name of the authentication plug-in.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><property>auth.jarpath</property></term>
-          <listitem>
-            <para>
-            The path to the JAR file containing the authentication plug-in.
-            This should be left empty if the plug-in is installed in the
-            <filename>WEB-INF/lib</filename> directory.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><property>auth.init</property></term>
-          <listitem>
-            <para>
-            Initialisation parameters sent to the plug-in when calling the
-            <methodname>Authenticator.init()</methodname> method.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><property>auth.synchronize</property></term>
-          <listitem>
-            <para>
-            If extra user information is synchronized at login time or not.
-            This setting is ignored if the driver does not support extra information.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><property>auth.cachepasswords</property></term>
-          <listitem>
-            <para>
-              If passwords should be cached by BASE or not. If the passwords are
-              cached a user may login to BASE even if the external authentication
-              server is down.
-            </para>
-          </listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><property>auth.daystocache</property></term>
-          <listitem>
-            <para>
-              How many days to cache the passwords if caching has been enabled.
-              A value of 0 caches the passwords for ever.
-            </para>
-          </listitem>
-        </varlistentry>
-        </variablelist>
-      </sect3>
     </sect2>

trunk/src/core/net/sf/basedb/core/AuthenticationContext.java

r6427	r6429
46	46	AuthenticationContext(SessionControl sc, org.hibernate.Session session, LoginRequest loginRequest)
47	47	{
48		super(sc, null, ~~null~~);
	48	super(sc, null, loginRequest);
49	49	this.session = session;
50	50	this.loginRequest = loginRequest;

Note: See TracChangeset for help on using the changeset viewer.