Opened 14 years ago
Closed 13 years ago
#1575 closed enhancement (fixed)
Add support for authenticator plug-in in external JAR files
Reported by: | Nicklas Nordborg | Owned by: | Nicklas Nordborg |
---|---|---|---|
Priority: | major | Milestone: | BASE 3.0 |
Component: | core | Version: | |
Keywords: | Cc: |
Description
Currently, classes/JAR files for external authentication that are installed by users need to be located in the default class path (eg. WEB-INF/classes or WEB-INF/lib). This may be problematic if the external authentication uses 3rd-party JARs that are incompatible with those shipped together with BASE.
It shouldn't be too difficult to modify the Application.getAuthenticator()
method so that it can use a different class loader defined in the base.config file.
For some background information see the mailing list: http://www.mail-archive.com/basedb-devel@lists.sourceforge.net/msg00433.html
Attachments (1)
Change History (6)
by , 14 years ago
Attachment: | externalAuth.diff added |
---|
comment:1 by , 14 years ago
Here is the diff that will make BASE use separate class loader for external auth plugins. In the Application.getAuthenticator I pretty much copy pasted the code you suggested.
The change in SessionControl is my unsuccessful attempt to change the way how BASE handles external authentication exceptions. I forgot to look into login.jsp, to see how the exceptions are handled there. So please ignore the diff for SessionControl.
Anyway the problem is following. In the documentation it says that if 'it is considered a security issue to reveal that a login exists, the plugin may throw an UnknowLoginException instead'. I don't have a problem with information sensitivity here, but simply the authentication system I am using only says that login and password don't match. So, my plugin throws UnknownLoginExc and the only message BASE will show to the user is 'The user with login XXXXX is not a registered user for BASE.' That is sort of misleading when one has an account and knows that the login is correct. So I was thinking about a way of pushing the message from an external auth plugin into the BASE error displayed, so that it could inform the user better. Exception's message is possibly the best, so I will look into it again, not forgetting login page this time...
comment:2 by , 13 years ago
Milestone: | → BASE 3.0 |
---|
Moving this to 3.0 since I think #1599 will not happen in the near future.
comment:3 by , 13 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:4 by , 13 years ago
comment:5 by , 13 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
diffs of Application and SessionControl classes (version 2.16.1)