Opened 13 years ago

Closed 12 years ago

#1575 closed enhancement (fixed)

Add support for authenticator plug-in in external JAR files

Reported by: Nicklas Nordborg Owned by: Nicklas Nordborg
Priority: major Milestone: BASE 3.0
Component: core Version:
Keywords: Cc:

Description

Currently, classes/JAR files for external authentication that are installed by users need to be located in the default class path (eg. WEB-INF/classes or WEB-INF/lib). This may be problematic if the external authentication uses 3rd-party JARs that are incompatible with those shipped together with BASE.

It shouldn't be too difficult to modify the Application.getAuthenticator() method so that it can use a different class loader defined in the base.config file.

For some background information see the mailing list: http://www.mail-archive.com/basedb-devel@lists.sourceforge.net/msg00433.html

Attachments (1)

externalAuth.diff (879 bytes ) - added by base 13 years ago.
diffs of Application and SessionControl classes (version 2.16.1)

Download all attachments as: .zip

Change History (6)

by base, 13 years ago

Attachment: externalAuth.diff added

diffs of Application and SessionControl classes (version 2.16.1)

comment:1 by base, 13 years ago

Here is the diff that will make BASE use separate class loader for external auth plugins. In the Application.getAuthenticator I pretty much copy pasted the code you suggested.

The change in SessionControl is my unsuccessful attempt to change the way how BASE handles external authentication exceptions. I forgot to look into login.jsp, to see how the exceptions are handled there. So please ignore the diff for SessionControl.

Anyway the problem is following. In the documentation it says that if 'it is considered a security issue to reveal that a login exists, the plugin may throw an UnknowLoginException instead'. I don't have a problem with information sensitivity here, but simply the authentication system I am using only says that login and password don't match. So, my plugin throws UnknownLoginExc and the only message BASE will show to the user is 'The user with login XXXXX is not a registered user for BASE.' That is sort of misleading when one has an account and knows that the login is correct. So I was thinking about a way of pushing the message from an external auth plugin into the BASE error displayed, so that it could inform the user better. Exception's message is possibly the best, so I will look into it again, not forgetting login page this time...

comment:2 by Nicklas Nordborg, 12 years ago

Milestone: BASE 3.0

Moving this to 3.0 since I think #1599 will not happen in the near future.

comment:3 by Nicklas Nordborg, 12 years ago

Owner: changed from everyone to Nicklas Nordborg
Status: newassigned

comment:4 by Nicklas Nordborg, 12 years ago

(In [5822]) References #1575: Add support for authenticator plug-in in external JAR files

Also added LoginException which can be used instead of UnknownLoginException or InvalidPasswordException in case the authentication implementation need to display a custom message.

comment:5 by Nicklas Nordborg, 12 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.