Plugins for user authentication

NOTE! This document is outdated and has been replaced with newer documentation. See Plug-in developer: Authentication plug-ins

This document desribes how to create a plugin that uses an external solution to authenticte users.

Contents

  1. Internal vs. external authentication
  2. The Authenticator interface
  3. Configuration settings

See also

Last updated: $Date: 2009-04-06 14:52:39 +0200 (må, 06 apr 2009) $

1. Internal vs. external authentication

BASE can authenticate users in two ways. Either it uses the internal authentiction or the external authentication. With internal authentication BASE stores logins and passwords in it's own database. With external authentication this is handled by some external application. Even with external authentication it is possible to let BASE cache the logins/passwords. This makes it possible to login to BASE if the external authentication server is down.

An external authentication server can only be used to grant or deny a user access to BASE. It can't be used to give a user permissions inside BASE.

The external authentication service is only used when a user logs in. Now, one of several things can happen:

2. The Authenticator interface

To be able to use external authentication you must have a class that implements the Authenticator interface. In your base.config file you specify the class name in the auth.driver setting and it's initialisation parameters in the auth.init setting.

Your class must have a public no-argument constructor. The BASE application will create only one instance of the class for lifetime of the BASE server. It must be thread-safe since it may be invoked by multiple threads at the same time. Here are the methods that you must implement:

public void init(String settings);
This method is called just after the object has been created with it's argument taken from the secondary.storage.driverauth.init setting in your base.config file. This method is only called once for an object. The syntax and meaning of the parameter is driver-dependent. It is irrelevant for the BASE core.
public boolean supportsExtraInformation();
This method should simply return TRUE or FALSE depending on if the authentication driver supports extra user information or not. The only required information about a user is a unique ID and the login. Extra information includes name, address, phone, email, etc.
public AuthenticationInformation authenticate(String login, String password)
Try to authenticate a login/password combination. The driver should return an AuthenticationInformation object if the authentication is successful or throw an exception if not. Exceptions:

3. Configuration settings

The configuration settings for the authentication driver is located in the base.config file. Here is an overview of the settings. For more information read the base.config reference

auth.driver
The class name of the authentication plugin.
auth.init
Initialisation paramters sent to the plugin by calling the init() method.
auth.synchronize
If extra user information is synchronized at login time or not. This setting is ignored if the driver doesn't support extra information.
auth.cachepasswords
If passwords should be cached by BASE or not. If the passwords are cached a user may login to BASE even if the external authentication server is down.
auth.daystocache
How many days to cache the passwords if that is enabled. A value of 0 caches the passwords for ever.