Opened 11 years ago

Closed 10 years ago

#1575 closed enhancement (fixed)

Add support for authenticator plug-in in external JAR files

Reported by: Nicklas Nordborg Owned by: Nicklas Nordborg
Priority: major Milestone: BASE 3.0
Component: core Version:
Keywords: Cc:

Description

Currently, classes/JAR files for external authentication that are installed by users need to be located in the default class path (eg. WEB-INF/classes or WEB-INF/lib). This may be problematic if the external authentication uses 3rd-party JARs that are incompatible with those shipped together with BASE.

It shouldn't be too difficult to modify the Application.getAuthenticator() method so that it can use a different class loader defined in the base.config file.

For some background information see the mailing list: http://www.mail-archive.com/basedb-devel@lists.sourceforge.net/msg00433.html

Attachments (1)

externalAuth.diff (879 bytes) - added by base 11 years ago.
diffs of Application and SessionControl? classes (version 2.16.1)

Download all attachments as: .zip

Change History (6)

Changed 11 years ago by base

Attachment: externalAuth.diff added

diffs of Application and SessionControl? classes (version 2.16.1)

comment:1 Changed 11 years ago by base

Here is the diff that will make BASE use separate class loader for external auth plugins. In the Application.getAuthenticator I pretty much copy pasted the code you suggested.

The change in SessionControl? is my unsuccessful attempt to change the way how BASE handles external authentication exceptions. I forgot to look into login.jsp, to see how the exceptions are handled there. So please ignore the diff for SessionControl?.

Anyway the problem is following. In the documentation it says that if 'it is considered a security issue to reveal that a login exists, the plugin may throw an UnknowLoginException? instead'. I don't have a problem with information sensitivity here, but simply the authentication system I am using only says that login and password don't match. So, my plugin throws UnknownLoginExc? and the only message BASE will show to the user is 'The user with login XXXXX is not a registered user for BASE.' That is sort of misleading when one has an account and knows that the login is correct. So I was thinking about a way of pushing the message from an external auth plugin into the BASE error displayed, so that it could inform the user better. Exception's message is possibly the best, so I will look into it again, not forgetting login page this time...

comment:2 Changed 10 years ago by Nicklas Nordborg

Milestone: BASE 3.0

Moving this to 3.0 since I think #1599 will not happen in the near future.

comment:3 Changed 10 years ago by Nicklas Nordborg

Owner: changed from everyone to Nicklas Nordborg
Status: newassigned

comment:4 Changed 10 years ago by Nicklas Nordborg

(In [5822]) References #1575: Add support for authenticator plug-in in external JAR files

Also added LoginException which can be used instead of UnknownLoginException or InvalidPasswordException in case the authentication implementation need to display a custom message.

comment:5 Changed 10 years ago by Nicklas Nordborg

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.