jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angela (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (OAK-6345) Allow TokenLoginModule framework to create token for other LoginModules if userid is not known in login()
Date Thu, 01 Feb 2018 13:49:00 GMT

     [ https://issues.apache.org/jira/browse/OAK-6345?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

angela resolved OAK-6345.
-------------------------
    Resolution: Not A Problem

> Allow TokenLoginModule framework to create token for other LoginModules if userid is
not known in login()
> ---------------------------------------------------------------------------------------------------------
>
>                 Key: OAK-6345
>                 URL: https://issues.apache.org/jira/browse/OAK-6345
>             Project: Jackrabbit Oak
>          Issue Type: Improvement
>          Components: core, security
>            Reporter: Alexander Klimetschek
>            Priority: Major
>
> If a custom LoginModule accepting custom credentials (or ExternalIdentityProvider) wants
to switch the credentials (e.g. on the first request of a web app) to a token from the TokenModule
(i.e. return this in the (Simple)Credentials after login() for use by a request handler) this
is currently not possible when the user id is not known up front in the login() call, but
only detected by the custom LoginModule, and passed around between login modules using {{javax.security.auth.login.name}}.
> This is a follow up from OAK-3899.
> 1. The main recommendation there was, instead of the the TokenLoginModule respecting
the shared key {{javax.security.auth.login.name}} and a special handling of SimpleCredentials
as in the patch, leave this to a custom TokenProvider.
> This would require to change the TokenProvider API to pass through the key (or all keys),
something along the lines of:
> {code:java}
> TokenInfo createToken(@Nonnull Credentials credentials, String loginName)
> {code}
> Since it also requires an application that has been relying on the default TokenProviderImpl,
to replicate that logic, it might be desirable to make it easy to reuse that code. E.g. by
wrapping and calling the other token provider (maybe this is already possible today in some
way).
> 2. Another approach might be to call {{TokenInfo.createToken(userId, attributes)}} from
the custom LoginModule aka ExternalIdentityProvider. The question then would be how it can
access it (as e.g. osgi service) and if that's a good solution.
> 3. There might be another intended way through reusing the new CredentialsSupport from
OAK-4129, but it seems the crucial {{javax.security.auth.login.name}} is not passed through
to the relevant code.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message