This document desribes how to create a plugin that uses an external solution to authenticte users.
Contents
See also
BASE can authenticate users in two ways. Either it uses the internal authentiction or the external authentication. With internal authentication BASE stores logins and passwords in it's own database. With external authentication this is handled by some external application. Even with external authentication it is possible to let BASE cache the logins/passwords. This makes it possible to login to BASE if the external authentication server is down.
An external authentication server can only be used to grant or deny a user access to BASE. It can't be used to give a user permissions inside BASE.
The external authentication service is only used when a user logs in. Now, one of several things can happen:
auth.synchronize
is set the
extra information is copied to the BASE server.
auth.synchronize
isn't set).
The new user account will get the default quota and be added to the
Users
role. In the future it may be possible that this is
configurable.
To be able to use external authentication you must have a class that implements
the Authenticator
interface. In your base.config
file you
specify the class name in the auth.driver
setting and it's
initialisation parameters in the auth.init
setting.
Your class must have a public no-argument constructor. The BASE application will create only one instance of the class for lifetime of the BASE server. It must be thread-safe since it may be invoked by multiple threads at the same time. Here are the methods that you must implement:
secondary.storage.driverauth.init
setting in your base.config
file. This method is only
called once for an object. The syntax and meaning of the parameter
is driver-dependent. It is irrelevant for the BASE core.
AuthenticationInformation
object if the authentication
is successful or throw an exception if not. Exceptions:
UnknownLoginException
: This exception should be thrown
if the login is not know to the external authentication systemInvalidPasswordException
: This exception should be thrown
if the login is know but the password is invalid. In case it is
considered a security issue to reveal that a login exists,
the plugin may throw an UnknowLoginException
instead.AuthenticationException
: In case there is another problem,
such as the authentication service beeing down. This exception is the only
one that triggers the use of cached passwords.
The configuration settings for the authentication driver is
located in the base.config
file. Here is an overview of
the settings. For more information read the
base.config reference
init()
method.