On 2011-07-26 22:47, Pawel Sztromwasser wrote:
> Hello BASE team!
> Extending a little on our recent developments regarding external
> authentication in BASE [1], I am working now on a Web service interface
> to BASE that will authenticate users based on secure tokens issued by a
> trusted STS. The STS authenticates users with username and password, and
> issues a crypted token confirming their credentials. The token is valid
> for a limited time and can be used for authentication in applications
> and services that trust the STS.
> The STS token does not contain a password, only a user id, so with
> current implementation of SessionControl I was unable to log in. I added
> one method to the SessionControl class (see attached diff), included a
> TokenAuthenticator interface (attached), and everything worked nice. The
> extra operation allows to log in using a single token object and a
> validator that can verify the token. The operation contains substantial
> parts of SessionControl.verifyUserExternal(), which can be extracted to
> a separate method. The TokenAuthenticator interface and original
> Authenticator interface are also quite similar, so they could maybe
> share a common ancestor.
> I know that the change is in the heart of BASE, but it is little and
> would provide additional way of programmatic interaction with BASE. If
> they pass the tests, could you consider including the changes to the
> BASE codebase?

Thanks for the suggestions. Maybe I am missing something but wouldn't it 
be possible to send the username and password to the STS as part of the 
BASE login? Or, use an empty password string?

In any case, I am not sure that supplying a TokenAuthenticator object as 
a parameter to the login method is a good idea, since it would be very 
easy to to provide an implementation that just accept anything.

There are also some plans to change the authentication as part of BASE 3 
development (http://base.thep.lu.se/ticket/1599). There is not much 
information since we haven't been thinking very much about this and at 
the moment I am not sure if we will have time to do it before releasing 
BASE 3. It depends a bit on when some of the other BASE 3 features are 
needed in production. I'll keep a link to this thread so that we don't 
forget it.


Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
basedb-devel mailing list

Reply via email to